OPNsense Forum
English Forums => General Discussion => Topic started by: r0ckky on May 30, 2022, 04:54:07 pm
-
Hello all,
I have a problem with a newly setup OPNsense 22.1.8_1-amd64 firewall running on a picopc box.
I have 4 interfaces , igb0 thru igb3.
igb0 is my ISP WAN DHCP address from ISP
igb1 is 172.16.1.0/24 ( internal )
igb2 is 172.16.2.0/24 ( Secondary LAN )
igb3 is 172.16.3.0/24 ( NAS network )
my PC is connected directly to igb1 and DHCP service gives it a IP of 172.16.1.10
my NAS is connected to igb3 and DHCP gives it an IP of 172.16.3.10
I have a group assignment called ALL_LANS and have set a rule to allow all traffic from all LANS to talk to each other
I have further rules set directly as part of testing to allow traffic from my PC via an alias of my PC MAC address to the NAS box MAC address.
****I cannot connect to the NAS box on port 8080 from my PC ****
To test, I connect the NAS box to the same LAN as the PC ( it gets a DHCP address of 172.16.1.11 ) I can access it.
So I know its listening and allowing connections
Now, connecting the NAS back to igb3 so it gets its original 172.16.3.10 I then try diagnostics and ping 172.16.3.10 from the 172.16.3_net interface and I get a response
I ping from diagnostics and ping 172.16.1.10 from the 172.16.1_net interface and I get a response.
But when I try ping from 172.16.1.10 to 172.16.3.10 nothing... I see the ping traffic in the live view of the logs, but I get no response to packets. The logs are telling me traffic is passing, but there's no response.
I'm confused as to why this doesn't work and hoping someone can point me in the right direction. I'm not a network person but I know enough to make this work and I previously had it running on ver 20.1 and upgraded today.
Thanks
Rokky
-
as an additional;
I can ping from 172.16.1.10 ( PC ) to 172.16.3.1 ( gateway for igb3 lan ) but when i ping 172.16.3.10 the packets do not go anywhere yet live view of the logs shows they are being passed.
-
Did you uncheck "block private networks" on all interfaces?
-
yes.. both private and bogon are unticked for both interfaces
i just configured unboundDNS and its running internally.. .so i queried it and got this
C:\>ping -a 172.16.3.10
Pinging NAS-RAID.172-16-3 [172.16.3.10] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.3.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
So the firewall knows of this device, matched the IP to the DNS record and resolved the IP to the right host name, even got the right domain for the right interface too !
-
I tried port probing 172.16.3.10 from the 172.16.3.1 network
# /usr/bin/nc -v -w 10 -4 -s '172.16.3.1' '172.16.3.10' '8080'
Connection to 172.16.3.10 8080 port [tcp/http-alt] succeeded!
i try the same but use the 172.16.1.1 network
# /usr/bin/nc -v -w 10 -4 -s '172.16.1.1' '172.16.3.10' '8080'
nc: connect to 172.16.3.10 port 8080 (tcp) failed: Operation timed out
-
traceroute:
# /usr/sbin/traceroute -w 2 -I -m '5' -s '172.16.1.1' '172.16.3.10'
traceroute to 172.16.3.10 (172.16.3.10) from 172.16.1.1, 5 hops max, 48 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
# /usr/sbin/traceroute -w 2 -I -m '5' -s '172.16.3.1' '172.16.3.10'
traceroute to 172.16.3.10 (172.16.3.10) from 172.16.3.1, 5 hops max, 48 byte packets
1 NAS-RAID.172-16-3 (172.16.3.10) 0.375 ms 0.199 ms 0.234 ms
-
oh, and the DHCP and interface subnet is /24
i had it set as a test to /16 thinking that it might need to open the scope a bit to allow traffic to go through, but all this allowed for was instead of getting a DHCP lease from 172.16.1 range, i was getting it from 172.16.3 or 172.16.2 ranges... but as i was still physically connected to the igb1 interface, traffic wasn't passing still.
So all interfaces are /24 with DHCP running from range .10 to .50 only ( basically mirroring each other and directing DNS to unboundDNS on port 53 locally.
-
Does your NAS have a firewall?
Do you have the firewall on your NAS enabled with port 8080 allowed?
-
You need to create a route.
Check what is the route address your networks have (might be 172.16.0.0/24 or 172.16.0.0/16) and route them to single gateway (like 172.16.1.1)