WAN Interface Blocking All Inbound Traffic/Connections

[magnum80]

All,

I recently setup an OPNsense version 18.7 firewall VM using an iso file in VMWare Workstation Pro 14.  My firewall just has the WAN and LAN interfaces. 

On the WAN network, I have a Windows XP VM connected.  On the LAN network, I have a Windows XP VM and an Ubuntu desktop VM.  I'm using a full class C IP address range for both networks.

To do some basic testing, I disabled Outbound NAT on the WAN interface.  I also created an ANY ANY ANY rule for the WAN interface, i.e., ANY source IP to ANY destination IP for ANY protocols ALLOW.

From my VMs on the LAN, I can ping and traceroute to the Windows XP VM on the WAN network successfully.

However, even with the ANY/ANY/ANY ALLOW rule on the WAN interface, from the VM on the WAN network, I cannot ping or traceroute to the two VMs on the LAN network.

Any help or ideas would be appreciated.

Thanks.
Ron

[marjohn56]

You cannot do that with IPv4, the packets from the WAN need to be routed. You can do something like that with Global IPv6 addresses.

The inbound packet WAN packet would need to be 'NATTED' to the LAN address . If you want to be able to ping ANY IPV4 address on your LAN from the WAN side you would be best served by setting up a VPN link, thus creating a tunnel to the LAN network.

To ping an internal LAN machine from the WAN you would create a NAT rule that allowed ICMP ping packets to be natted to VM machine A on your LAN, but the ping target for the VM  machine on the WAN would be the WAN address of the firewall, NOT the LAN machine A address, you would not be able to add another ICMP Ping port forward to machine B as the port in question is already being sent to Machine A.



Edit: If you are trying to use opnsense without NAT, then  read this thread:


https://forum.opnsense.org/index.php?topic=8778.0