OPNsense Forum

English Forums => General Discussion => Topic started by: imothep77 on January 11, 2024, 11:10:25 pm

Title: FW block rule still allowing traffic to Proxmox host
Post by: imothep77 on January 11, 2024, 11:10:25 pm

Hi all,

I've been struggling with the below for the whole day.
Didn't find any related topic here, so here I am -

I have 2 Proxmox physical machines, on each one of them, I have an OpnSense VM (both Opns run in HA).
All 4 machines live in the same "management" VLAN, let's say 10.0.10.0/24.
I have defined the following rules on the MGMT interface (VLAN 10):

• allow any IPv4 - TCP/UDP traffic from MGMT net to OPNsense VIP on port 53 (DNS)
• allow any IPv4 traffic to non RFC1918+bogon networks (allow all machines on the MGMT net to access the Internet)
  
• allow any IPv4 traffic from ManagementPCs (alias) to any
• block IPv4+IPv6 traffic from any to any (I guess this one is not necessary, but I like to be explicit)
  

Now from a ManagementPC, I get the exact behaviour I want, basically, I have access to anything.
However, still on the MGMT interface, when connecting from my laptop (which receives an IP that is not listed in the Management PCs alias), I have a weird behavior related to rule 4:

• I can ping/access the internet both 8.8.8.8 and google.com - this is expected through rules 1 and 2
  I cannot ping any of my OpnSense VMs nor any of my other VMs for that matter - this is expected through rule 4 as I'm not a Management PC
• BUT I still CAN ping and actually log into the web GUI of both my Proxmox hosts. Not expected.
  

I'm actually trying to restrict access to my Servers web interfaces/SSH/etc, to only my Management PCs which again, my laptop is not yet.

I'm sure one of the geniuses right here can help me sort this out.

Until then, thanks for the great support and fruitful discussions here.

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: imothep77 on January 13, 2024, 11:27:36 am

no one ?

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: meyergru on January 13, 2024, 11:51:14 am

Traffic on the same interface/subnet is not passing OpnSense at all, so it can't block it.

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: imothep77 on January 19, 2024, 09:54:23 am

Thanks for your reply.

In that case, how come I'm getting the expected behavior - i.e not able to connect to my Opnsense webgui when I'm not a Management_PC?

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: cookiemonster on January 19, 2024, 10:13:15 am

Put the network setup inside the firewalls at one side for a moment.
Show how they are physically connected here, to have an idea of what is happening at the different layers.

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: meyergru on January 19, 2024, 10:27:39 am

You initially wanted to limit access to your Proxmox web GUI, which seems to be directly attached to your VM's network, now you ask for the OpnSense weg GUI - that is a different story.

You could potentially limit traffic in these places:

1. In your Proxmox host for its web gui (I do not know how this would be possible).
2. In your OpnSense host for its web gui by creating a rule on the interface to allow only certain IPs.
3. In your Proxmox VE for a specific machine by using the Proxmox firewall to block traffic to certain IPs - this is complicated, though.
4. Separate your network infrastructure (i.e. OpnSense and Proxmox hosts in a separate management VLAN) and define specific rules for a management group of IPs in the normal LAN to be able to access that VLAN.

For a consistent approach, use the last one.

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: imothep77 on January 24, 2024, 04:50:39 pm

Thank you guys for your replies.

I know there are some other ways of limiting access to my Proxmox GUI, but the intent of this post is to understand why a PC is able to connect to one machine (my Proxmox host) when I have specific rules on my firewall explicitly blocking traffic to the whole network range except to the DNS server / port, when I'm not a "ManagementPC". The rule seems to be working, as I'm not able to access the Opnsense WebGUI - again, this is the expected behaviour - but I'm still able to log into my Proxmox WebGUI.

To cookiemonster's question, here's my setup:

--------------------
| Proxmox Host     |-------------- Managed Switch --------------- PC
| ------------------|
| Opnsense is a     |
| VM here              |                          LAN
|                          |
--------------------

• Proxmox host has a static IP on the Management VLAN
• PC is connected to Management VLAN and gets it's IP from Opnsense in the management VLAN
• OpnSense is a VM using
  
  • native Proxmox LAN as its LAN interface
  • a specific WAN interface on a WAN VLAN as the WAN interface
  • a specific pfsync interface on a specific VLAN as OPT1 interface
  • all other VLANs (including Management VLAN, main LAN VLAN and guest VLAN for instance) are set up inside Opnsense
    

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: Patrick M. Hausen on January 24, 2024, 06:02:01 pm

If Proxmox, OPNsense and the PC in question all share the same LAN (VLAN, broadcast domain, whatever you name it ...) then traffic from the PC to Proxmox does not go through OPNsense so no firewall rules apply.

Device on a single network communicate directly with each other without an intermediate router. That's what ARP (or ND for IPv6) is for.

Title: Re: FW block rule still allowing traffic to Proxmox host
Post by: imothep77 on January 29, 2024, 05:13:43 pm

Crystal clear, conclusion I was moving towards....

However, why does enabling this rule in OPNSense prevent me from accessing any of my other servers inside the same network, BUT my Proxmox Webgui....