Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: GreenMatter on January 24, 2024, 10:15:23 AM

Title: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 24, 2024, 10:15:23 AM

OPNsense 23.7.12. Whole LAN (vlans) and all hosts are connected through Unifi switch.I keep having issues with either firewall setup or firewall itself.
One story is with blocked TCP communication between one vlan's interface and vlan's hosts [size=78%]https://forum.opnsense.org/index.php?topic=37602.msg184311#msg184311 (https://forum.opnsense.org/index.php?topic=37602.msg184311#msg184311)[/size]
And this one is about LAN wide blocked access to 1.1.1.1 DNS.
It is accessible from opnsense/firewall itself but not from within my whole LAN.
How to troubleshoot firewall - to examine all rules for presence of anything related to those 2 issues?
I've done it visually, I mean checking rules and I couldn't find anything what sticks out. Is there any tool or smarter than myself cli command?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: cookiemonster on January 24, 2024, 11:12:00 AM
Maybe something inspecting traffic like Zenarmor, blocklists in Unbound or other services,  set to block DoT or DoH ?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 26, 2024, 11:28:08 PM
Quote from: cookiemonster on January 24, 2024, 11:12:00 AM
Maybe something inspecting traffic like Zenarmor, blocklists in Unbound or other services,  set to block DoT or DoH ?
I stopped Zenarmor service and disabled blocking in Unbound and it didn't help.
Is there any tool to allow me "query" firewall for blocked hosts/addresses?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: chemlud on January 26, 2024, 11:38:05 PM
FW rules?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 27, 2024, 01:40:09 PM
Quote from: chemlud on January 26, 2024, 11:38:05 PM
FW rules?
I've done "visual" check but I might have something overlooked. I'm asking for more automated check / command letting me to verify presence of 1.1.1.1 address across ALL rules...
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: chemlud on January 27, 2024, 06:03:39 PM
it's not just about the target address, it could be port, protocoll... ;-)
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: Fright on January 27, 2024, 08:01:52 PM
@GreenMatter
may be you can try to find the 1.1.1.1 references in aliases (Firewall: Diagnostics: Aliases -> Find references)?
if that doesn't give any hint, it will probably be necessary to enable logging of default blocking rules, enable logging of other suitable blocking rules and look at the (live) log
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 28, 2024, 12:20:36 AM
Quote from: Fright on January 27, 2024, 08:01:52 PM
@GreenMatter
may be you can try to find the 1.1.1.1 references in aliases (Firewall: Diagnostics: Aliases -> Find references)?
if that doesn't give any hint, it will probably be necessary to enable logging of default blocking rules, enable logging of other suitable blocking rules and look at the (live) log
Finally I've found the reason, but I don't understand WHY...
I have created 3 VPN gateways (they use interfaces created by OpenVPN clients). Only one gateway has assigned vlan (rule) and outbound NAT; 2 other aren't in use.
These VPN gateways have monitor IP configured and one of them was 1.1.1.1. Long story short: any IP configured as "Monitor IP" (in any of VPN gateways) is not accessible from LAN hosts. It's applicable also for gateways without and FW rules assigned.
So, why it's like that?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 31, 2024, 01:37:15 PM
Anybody, anything?
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: Fright on January 31, 2024, 04:39:04 PM
Quoteanything?
adding "Monitor IP" adds a records in routing table
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 31, 2024, 06:18:44 PM
@Fright
Thanks, I didn't know that.
It means it is added in such a way that excludes LAN?


EDIT:
In such a case, what hosts are the best to serve as monitor IP? External DNS sometimes might be useful inside LAN...
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: Fright on January 31, 2024, 06:33:20 PM
can't tell without full understaing your setup/rules (how host route can interfere with pf-rules etc), sorry
you asked for a hint - i was try to give one )
another hint - there is a "Disable Host Route" checkbox above Montor IP setting  ;)
Title: Re: Firewall issues - blocked access to 1.1.1.1
Post by: GreenMatter on January 31, 2024, 08:28:06 PM
Quote from: Fright on January 31, 2024, 06:33:20 PM
can't tell without full understaing your setup/rules (how host route can interfere with pf-rules etc), sorry
you asked for a hint - i was try to give one )
another hint - there is a "Disable Host Route" checkbox above Montor IP setting  ;)
I don't have any FW rules for "Monitor IPs". So, I guess I can exclude FW itself. That's why it confused me so much.
Activation of "Disable Host Route" doesn't help. Maybe because of [size=78%]https://github.com/opnsense/core/issues/6342 (https://github.com/opnsense/core/issues/6342)[/size][/size] - I don't know how valid it is in 23.7.12 and now in 24.1 (I'm afraid to upgrade since I'm away of router location).


Anyway now I understand it a bit more: since monitor IPs have routing through gateways which are not in use in LAN - LAN hosts won't be able to contact them...
Text only | Text with Images