Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: tony124 on August 07, 2020, 05:26:01 PM

Title: Added a static route to another host in LAN, traffic gets blocked by firewall
Post by: tony124 on August 07, 2020, 05:26:01 PM
Hello,

I have a very simple OPNsense setup with 1 iface WAN and 1 iface LAN 192.168.30.1/24. I have done just minimal configuration to get it work (= setting IPs, networks, DNS).

Now I am trying to achieve this: I would like to reroute packets  to net 192.168.40.0/24 to another host in LAN, IP = 192.168.30.5

I did the following:
- add a gateway int_router =  192.168.30.5, iface LAN
- add a route 192.168.40.0/24 -> int_router

However I get stuck at this point: packets w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule".

It seems there is already a default rule on LAN iface: "Default allow LAN to any rule", but this rule doesn't work as expected.

I also tried to add a floating rule which allows traffic on LAN iface, both in/out direction, but it doesn't work either.


Any hint what can I try?

Regards,
Tony
Title: Re: Added a static route to another host in LAN, traffic gets blocked by firewall
Post by: Fright on August 07, 2020, 07:59:35 PM
" w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule""
w/dest or from?
"Default allow LAN to any rule" ferers to trafic from LAN subnet, not anything arriving on LAN interface.
Add firewall LAN rule to allow trafic from 192.168.40/24 subnet to LAN subnet.
Title: Re: Added a static route to another host in LAN, traffic gets blocked by firewall
Post by: tony124 on August 07, 2020, 10:38:41 PM
Quote" w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule""
w/dest or from?

dest = 192.168.40.0/24, which is another private net but not the same as net on LAN (= 192.168.30.0/24)

Quote"Default allow LAN to any rule" ferers to trafic from LAN subnet, not anything arriving on LAN interface.
Add firewall LAN rule to allow trafic from 192.168.40/24 subnet to LAN subnet.

yes I also added a rule on iface LAN to allow everything from LAN iface but it didn't seem to get triggered. Same for the floating rule which all traffic in/out on iface LAN.

Traffic from LAN to WAN triggers the rule "Default allow LAN to any rule", but traffic to net 192.168.40.0/24 (which is LAN to LAN) doesn't seem to trigger that rule. Nor the 2 rules I added.

Perhaps the static route I added 192.168.40.0/24 -> int_router causes something so that the rules no longer apply to packets to net 192.168.40.0/24 .

Title: Re: Added a static route to another host in LAN, traffic gets blocked by firewall
Post by: Fright on August 08, 2020, 06:49:40 AM
Quote from: tony124 on August 07, 2020, 10:38:41 PM
dest = 192.168.40.0/24, which is another private net but not the same as net on LAN (= 192.168.30.0/24)
I understood that. what packets droped? TO .40/24 subnet or FROM .40/24 subnet?

"I also added a rule on iface LAN to allow everything from LAN"
Source. what is the source of packets you want to allow. default rules allow "everything" for "LAN net" i.e local subnet for LAN interface. fw has now idea about .40/24 subnet


and the second question is State: how packet from .40/24 will be routed to .30/24. if 192.168.30.5 router will send packets to destination directly, fw will see only packets from .30/24 to .40/24 and not from .40/24 to .30/24. tcp states will be broken.
Title: Re: Added a static route to another host in LAN, traffic gets blocked by firewall
Post by: tony124 on August 10, 2020, 03:46:53 PM
If someone had the same problem as I did, the solution is:

Firewall-Settings/Advanced/Static route filtering   

check "Bypass firewall rules for traffic on the same interface"
Text only | Text with Images