I have two sites, my opnsense fw and site-b (remote), and a GRE connection between them terminating on the opnsense fw. Why doesn't opnsense trigger a log in firewall live log view with an inbound rule when I ping from the lan of site-b to lan of opnsense and have a rule of "if interface GRE has incoming ICMP from site-b subnet, log=yes and pass"? I can only ever get rules triggering a log in live view when the rule is applied against outbound/return traffic. Why is this?
Also, why do none of my NAT rules where log=yes ever trigger a log in live view either?
Inbound is on Ingress, meaning packet coming IN to an Interface.
When you use overlay technologies such as GRE, the Ingress is triggered on two stages;
1. The Underlay Interface to allow the GRE > sees only the outer IPv4 header so tunnel source and destination
2. The GRE interface itself > sees the inner IPV4 header so source and destination after de-capsulation
If a session is opened for such connection it will not appear again in the live log as long the session/state in FW is active and not either expired or closed.
Show your Ingress rules, and check State table in the FW.
Regards,
S.
Are you telling me I should see an inbound entry in the state table from the IP of the host on site-b's lan?
You have 2 FWs.
FW A and FW B
If the connection is established from FW A, the Ingress Rule on Site B is matched and should visible as IN.
While on FW A it will be seen as OUT because its Egress.
When the packet comes back from FW B to FW A, you will not match the rule as IN on FW A. You dont do a lookup anymore.
Because there is already a state/session created by FW A when it established connection towards FW B
A Session/State on FW, is matched only once per Interface and accounts for both directions based on 5-tuple (Protocol, Source IP & Port, Destination IP & Port).
Regards,
S.
Quote from: Seimus on Today at 05:50:05 PMIf the connection is established from... (it) should visible as IN (on the remote side).
Precisely. In other words if the device is not the initiator of the connection/traffic, it will acknowledge the session as IN(put). So my opnsense fw should be triggering an my interface rule where direction=IN and have applied told it to log=yes. So why doesn't it? Based on your description it is behaving as if the ICMP pings came from the fw itself, but they are coming from the remote site via the GRE tunnel.
You should see the IN on the GRE interface, so maatch rule allowing or denying ICMP on GRE interface.
Show your rules.
Regards,
S.
I have a floating rule for it. This is from /tmp/rules.debug:
pass in log quick on gre0 reply-to (gre0 172.17.3.2) inet proto icmp from {any} to {any} keep state label "<label>" # GRE ICMP in
pass in log quick on gre1 reply-to (gre1 172.17.5.2) inet proto icmp from {any} to {any} keep state label "<label>" # GRE ICMP in
I only just noticed the "reply-to (greX 172.17.X.2)" in both rules. However, even if I test disabling this (doesn't show up in the GUI unless toggling advanced button), I still see no live view for the rule.