Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: vt220 on May 15, 2020, 08:58:15 AM

Title: Very strange firewall problem on WAN interface
Post by: vt220 on May 15, 2020, 08:58:15 AM
Hi guys,

I have a very strange situation, probbably with firewalling and I'm really stuck.

I wanted to setup an IPSec or Wireguard VPN.
So as usual I open the ports on the WAN Interface, for IPSec GRE, 500, 4500 an so on.
Source any to wan interface and so on.
On WAN Site I use a cable modem configured in bridge Mode, Native IPv4 ist available, OPNSene ist getting a public IPv4. Vodafone Germany as the cable provider does not do any firewalling if modem is in bridge mode (according to various sources). The modem is not in router mode or somethin like that.

What I've additionally tried:

1. Disabled Bogon and private Networks in WAN interface -> no impact
2. Created for test purpose a rule. Allow from any to any an WAN interface -> no impact
3. Watched the firewall outpu live log while trying to access from outside. No leg entry appears on the firewall, not even an entry filtered/blocke. Just nothing. When i ping the OPNSense from outside I get at least an ICMP block in the firewall log.

So if I assume the OPNsense firewall is not correctly configured I should at least get an entry in the firewall log, when trying to access ports 500 or 4500 from outside. I then scanned from outside with nmap the ports 500 and 4500. nmap reports that the ports are filtered.

So there are only two possible scenarios. Vodafone or their modem ist still filtering, so nothin reaches the OPNsense, or there's somethin wrong with OPNSense firewall.

Any ideas or hints? I had the same problem with trying to setup wireguard  :(
Title: Re: Very strange firewall problem on WAN interface
Post by: chemlud on May 15, 2020, 09:06:39 AM
Vodafone (unitymedia) is notorious for carrier-grade NAT, you don't get "real" internet, but only some kind of http/https etc.

It's a pain...
Title: Re: Very strange firewall problem on WAN interface
Post by: vt220 on May 15, 2020, 12:38:25 PM
Hi,

thanks for the reply. So alltough I get an real IPv4 they are NATting?
I always thought DS-Lite (=carrier grade nat?) would give you an not routable IP4 adress? So as I have a "public" IP4 adress, there should not be a problem, or am I mistaking something?
Title: Re: Very strange firewall problem on WAN interface
Post by: Maurice on May 15, 2020, 03:29:01 PM
Quote from: vt220 on May 15, 2020, 08:58:15 AM
So there are only two possible scenarios. Vodafone or their modem ist still filtering, so nothin reaches the OPNsense, or there's somethin wrong with OPNSense firewall.

Do a packet capture on the OPNsense WAN interface. If you don't see the packets there, it's not an OPNsense issue.
Title: Re: Very strange firewall problem on WAN interface
Post by: chemlud on May 15, 2020, 04:56:23 PM
QuoteEs gibt die euch zugewiesene IPv4 dabei quasi 50 mal. Der VPN-Server wüsste also nicht, wohin er seine Daten senden müsste,

https://community.unitymedia.de/categories/internet/article/einrichtung-eines-vpns
Text only | Text with Images