OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: smema79 on February 09, 2021, 07:21:45 am
-
Hi everyone. I've been using opnsense for several years and have never had any problems except now that I'm trying to add a new network.
Premise. The configuration currently active is as follows:
Wan
Lan
Dmz1 (with vlan on card1)
Dmz2 (with vlan2 on card1)
The rules work properly, that is, if I contact any ports not allowed I receive the evidence in the log.
I added a new vlan on the same interface where the other two are (card1) and configured the new opnsense interface and subnet as usual.
Already without rules I noticed a strangeness, by default it should block new traffic generated by this subnet and log while in the log I didn't see anything.
So I tried to put a single general blocking rule on eny with log and I tried to test the reachability of some firewall ports to check the log.
Towards the firewall:
I get the log only of dropped if I try the port 53
To the outside
I normally receive the log of dropped on ports I tried.
Why do you think this happens?
Of course the ports on the firewall do not answer also if add a permit before the drop.
Thanks
Regards
Inviato dal mio SM-A415F utilizzando Tapatalk
-
I make a point. The problem of non reachability of the ports I have only towards the firewall also if I open the permit in top.
Thanks
Inviato dal mio SM-A415F utilizzando Tapatalk
-
Any floating rules?
-
Thanks for the reply.
There are floating rules generated in auto by the system and only 2 generated by me for CARP and PFSYNC. (attached)
I attach also the the actually rules for that Subnet.
The strange thing is that if I request a test on port 53 of the firewall, I receive correctly the result in the log as dropped. If I request other ports such as 443, 80, XXX (always to the firewall)... nothing.
Yes, they may be in the intermediate rules that actually block traffic to the firewall without logging but where they are I do not know.
Thanks again.
Stefano
-
Is this a HA setup? Because you have some CARP rules in place.
Just to be sure, you have VLANs configured. Are your switches VLAN capable and the ports are configured in the correct way? Don't know why only traffic to port 53 is reaching the box. Are the clients able to get a DHCP IP of your OPNsense? Maybe you have something weird enabled on your switch? Unifi switches for example can be configured with port isolation and you need to tell those switches the IP of the gateway because the gateway is the only allowed connection.
-
Yes the system is in ha mode but dhcp is delivering as gateway and dns the ip of firewall 1 (no carp vip ip), where I’m checking the logs.
If I open traffic to internet is ok, and log warn if I test dropped ports to internet.
So the issue is only to reach firewall services.
-
You reminded me one thing but I will only be able to test later.
This Network is only served in wi-fi mode and the SSID is in isolation mode.
I wouldn't want the antennas allow only certain types of ports other than just gateway viewing.
I will update you. Thanks
-
Yes, the issue was generated by SSID isolation Guest.
Inviato dal mio SM-A415F utilizzando Tapatalk