Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: zyx360 on June 08, 2022, 02:32:36 PM

Title: What firewall rule blocks my traffic
Post by: zyx360 on June 08, 2022, 02:32:36 PM
Hi there,

I have a strange issue to troubleshoot.
I have setup that looks like this:

Provider-Router (wan: x.x.x.x, lan: 192.168.111.1/24) -> Opnsense (wan: 192.168.111.2/24, lan: 192.168.112.0/24)

I know this setup is not ideal but it is something i have to deal with for now.
Some of my clients are connected on the provider-router's wifi and receive a dhcp ip from the 111.0/24 subnet.
I want these clients to be able to connect to the opnsense management interface on the WAN address.

To make this possible i;
- Disabled the block bogon networks setting
- Disabled the block private networks setting
- Created an allow rule on the WAN interface that allows 80/443

I am however still unable to access the management interface.

I was hoping that i was able to monitor whats beeing blocked by navigating to:
Firewall > Log files > Live view

But for whatever reason i dont see the traffic beeing blocked there.

I know for a fact that something on opnsense is blocking my traffic since a "pfctl -d" through the command line magically makes things work as expected.

Can anyone point me in the right direction how i can monitor what's actually dropping my request?

Thanks!
Z
Title: Re: What firewall rule blocks my traffic
Post by: zyx360 on June 08, 2022, 03:29:17 PM
After some more investigation i found the firewall logs did not show entries because the traffic was actually allowed.

I've tried connecting with curl from a machine in the 111.0/24 network, this throws a cryptic error.

[root@controller ~]# curl -vvvv  https://192.168.111.2
* Rebuilt URL to: https://192.168.111.2/
*   Trying 192.168.111.2...
* TCP_NODELAY set
* Connected to 192.168.111.2 (192.168.111.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443


Title: Re: What firewall rule blocks my traffic
Post by: axsdenied on June 08, 2022, 09:47:16 PM
You mind sharing a screenshot of your WAN rule set, including the section with the description "Automatically generated rules" where you have to select to drop down the full list of rules?
Title: Re: What firewall rule blocks my traffic
Post by: cookiemonster on June 09, 2022, 12:15:22 AM
Doesn't seem to be a firewall rule as you have found. There is no server hello after client hello and I suggest to drill into "CApath: none".
Where it doesn't work from, is it over a terminal too via commands, or web browsers? Something to do with the certs seems off.
Text only | Text with Images