Hi everyone,
i have to admit, i did the worst thing someone can do. I Upgraded to the latest version. Jokes aside i am messing around the configs since about 10 hours and i am getting really frustrated about this issue.
In short my setup all of my firewalls are opnSense firewalls and this config was working with version 20.1.9
Internet -> FW01 -> DMZ (172.16.0.0/16) -> Fw02 -> Internal network (192.168.123.0/24)
FW01 is natting to the internet and has several rules in regards to Port forwarding in place
The DMZ has several Services running (more on this later)
The FW02 is simply routing the traffic (no natting/double-nat)
If i am trying to reach example.com from the Internet, everything works as expected
If i do the same from the DMZ, it still works (reflection seems to work)
But if i am in the Internal Network, it fails with the message "connection timeout".
Internet access in general (from internal through dmz directly into internet) works fine.
Now, if i do a traceroute from the Internal network to example.com, i can see the following
1. fw02
2. example.com (or the external ip of my FW01)
If i do the same from the DMZ, i only see the external ip of my FW01 (or the domain name if i resolve it).
Does anyone have an idea how i can solve this issue?
Thanks a lot.
Pecadis
So from what i can see it seems to be a combination of a routing and reflection.
1. if i turn off the reflection, i will get the internal Opnsense Webinterface from the internal network.
2. If the Reflection is turned ON, nothing really happens except a timeout.
I am unfortunatly not that fluent with wireshark but it looks like the traffic is being redirected the wrong way.
192.168.123.8 is my internal server
172.16.2.10 is my dns server
172.16.0.1 is a floating IP, directing to my Loadbalancer
172.16.0.6 is actually my loadbalancer
The DNS resolution works fine (in blue) but it goes down from there.
No. Time Source Destination Protocol Length Info
167 1.342302 192.168.123.8 172.16.2.10 DNS 70 Standard query 0x93fa A example.com
168 1.342324 192.168.123.8 172.16.2.10 DNS 70 Standard query 0x2c56 AAAA example.com
169 1.344532 172.16.2.10 192.168.123.8 DNS 86 Standard query response 0x93fa A example.com A external.ip
170 1.347313 172.16.2.10 192.168.123.8 DNS 135 Standard query response 0x2c56 AAAA example.com SOA ns1.core-networks.de
171 1.347869 192.168.123.8 external.ip TCP 74 54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410584100 TSecr=0 WS=128
172 1.348437 172.16.0.1 192.168.123.8 TCP 74 80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548122877 TSecr=2410584100 WS=128
177 1.699807 172.16.0.6 192.168.123.8 TCP 74 57688 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=139042813 TSecr=0 WS=128
178 1.700173 192.168.123.8 172.16.0.6 TCP 74 443 → 57688 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210445962 TSecr=139035692 WS=128
179 1.757788 192.168.123.8 172.16.0.6 TCP 74 443 → 57640 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210446019 TSecr=139019221 WS=128
203 2.365703 192.168.123.8 external.ip TCP 74 [TCP Retransmission] 54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410585118 TSecr=0 WS=128
204 2.366227 172.16.0.1 192.168.123.8 TCP 74 [TCP Retransmission] 80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548123895 TSecr=2410584100 WS=128
Help would be much appreciated ._.
In case someone is getting the same issue. The solution was to rtfm.
In short the Note on https://wiki.opnsense.org/manual/nat.html regarding NAT Reflection was the clue which was missing.
QuoteThe NAT rules generated with enabling NAT reflection only include networks directly connected to your Firewall. This means if you have a private network separated from your LAN you need to add this with a manual outbound NAT rule.
I am wondering why it was working fine before, but anyway, after adding the Outbound NAT-Rule, everything worked fine again. The Rule was set to the DMZ Interface and the Internet address