Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: tryllz on April 01, 2021, 08:58:58 PM

Title: Working NTP rule yet no visual update
Post by: tryllz on April 01, 2021, 08:58:58 PM
Hi,

I have set the following rule on NTP on the WAN interface

WAN/NAT interface - 192.168.47.2 / 24
Firewall Interface - 192.168.1.21 / 24

(https://i.ibb.co/MGVWrGx/Rules.png)

and the rule seems to be working

(https://i.ibb.co/4Wwmm5T/NTP3.png)

However, no NTP information shows up in the dashboard.

(https://i.ibb.co/Dt5Qwtm/NTP1.png)

(https://i.ibb.co/z4NHv63/NTP2.png)

(https://i.ibb.co/vDkTpFL/NTP4.png)

Any thoughts what is going on ?

Thank You
Title: Re: Working NTP rule yet no visual update
Post by: tryllz on April 01, 2021, 09:33:21 PM
I can confirm this is due to the Block rule taking effect which has a schedule. I disabled the schedule and NTP works fine.

The question is that why is the Allowed Rule not taking precedence over block rule even though the block rule comes after the allow rule ?
Title: Re: Working NTP rule yet no visual update
Post by: Greelan on April 01, 2021, 10:57:27 PM
I suspect it is due to the OUT rules you have configured. You don't need those. Almost always you only need IN rules. The automatic floating rules handle allowing traffic out of OPNsense - which is why when you disable the block schedule, the floating rules then can operate

Truth be told, I also find your other rules confusing. I might just not understand your setup properly
Title: Re: Working NTP rule yet no visual update
Post by: tryllz on April 02, 2021, 10:23:56 AM
Quote from: Greelan on April 01, 2021, 10:57:27 PM
I suspect it is due to the OUT rules you have configured. You don't need those. Almost always you only need IN rules. The automatic floating rules handle allowing traffic out of OPNsense - which is why when you disable the block schedule, the floating rules then can operate

Truth be told, I also find your other rules confusing. I might just not understand your setup properly
Thanks,

Currently I set only 2 IN rules, 1 for NTP and other for internet access for devices in LAN. When I set 1 IN rule for NTP it works, but the devices behind LAN are able to access internet even with schedule set ?!

And when I set both IN and OUT rules then devices behind LAN do not get internet access but NTP does not work.

I'm just testing which rules work and how.
Title: Re: Working NTP rule yet no visual update
Post by: Greelan on April 02, 2021, 10:31:24 AM
It would helpful to understand more about how your network is set up because I still don't really follow

You may also be confusing what IN means (not the first person). IN means coming into an interface on OPNsense from a source. So IN on the LAN interface means incoming from the LAN net. IN on WAN means incoming from (usually) the internet
Title: Re: Working NTP rule yet no visual update
Post by: tryllz on April 02, 2021, 10:42:19 PM
Quote from: Greelan on April 02, 2021, 10:31:24 AM
It would helpful to understand more about how your network is set up because I still don't really follow
Thanks for getting back, the story is as follows.

I have a laptop, and a dell server with ESXi on it, the idea is to have 2 networks. 1 in laptop in VMware Workstation (192.168.28.0/27) and the other running on the dell server (10.0.64.0/27). Both networks eventually connect to an OPNsense firewall VM (firewallWM) in VMware workstation.

The network on dell server communicates with network in VMware Workstation VM also via firewallWM (but technically through a Bridged connection (vmnet1 in VMware Workstation Virtual Network Editor [https://i.ibb.co/zJ0BN4s/VMNET1.png (https://i.ibb.co/zJ0BN4s/VMNET1.png)] | [https://i.ibb.co/TqP3hXn/VNE.png (https://i.ibb.co/TqP3hXn/VNE.png)], NO this does not give vmnet1 internet access because this is bridged with the LAN ethernet cable physically connected to the server)).

Internet is given to all VMs through laptop's WiFi, the firewallWM in VMware Workstation has a vNIC on NAT and all traffic is being made to pass through this to get internet access. This is where the rule (shown in the 1st picture in the original question [https://i.ibb.co/MGVWrGx/Rules.png (https://i.ibb.co/MGVWrGx/Rules.png)]) being applied, which clearly is not working as intended.

Network Overview

https://i.ibb.co/KcZjLwB/Dell-Network-Basic.png (https://i.ibb.co/KcZjLwB/Dell-Network-Basic.png)

Network Diagram, internet traffic flow in red.

https://i.ibb.co/9gHG3y3/Dell-Network.png (https://i.ibb.co/9gHG3y3/Dell-Network.png)

Quote from: Greelan on April 02, 2021, 10:31:24 AMYou may also be confusing what IN means (not the first person). IN means coming into an interface on OPNsense from a source. So IN on the LAN interface means incoming from the LAN net. IN on WAN means incoming from (usually) the internet

I took some time to understand In and OUT, someone at the forum helped explain it to me, not an expert but I get the idea on how the rules work.
Title: Re: Working NTP rule yet no visual update
Post by: Greelan on April 03, 2021, 12:12:17 AM
Well, that made my head explode...

But if 192.168.47.0/24 is on the WAN interface, don't you need that as the source in the IN rule on the WAN interface?
Title: Re: Working NTP rule yet no visual update
Post by: tryllz on April 03, 2021, 06:53:24 AM
Quote from: Greelan on April 03, 2021, 12:12:17 AM
Well, that made my head explode...

But if 192.168.47.0/24 is on the WAN interface, don't you need that as the source in the IN rule on the WAN interface?
I agree, however, as mentioned earlier I was checking how the rules work..

Also 192.168.47.0/24 is the souce in OUT rule, and destination on the IN rule.
Text only | Text with Images