OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: Link2019 on August 10, 2019, 02:12:02 pm

Title: Newbie wanting some help with configuration
Post by: Link2019 on August 10, 2019, 02:12:02 pm

Hi Eveyone,

In the past I have used pre-configured software but I felt like turning my hand to something open source / hardware based but I'm having problems.

I got Opnsense 19.7 installed on a 1U rack - has two LAN cards one of which has been picked up as WAN and I can log into the GUI... all seems to be working.

I have a Netgear D7000v2 router and I would like to use Opnsense as my firewall, but I'm having issues with configuration.

Is there anyone that would help me find my way ?

I'm not overly familiar with using WAN ect so I'm just finding myself getting confused within the settings menu.

Hope to speak to someone soon...  :)
Adam

Title: Re: Newbie wanting some help with configuration
Post by: firewall on August 11, 2019, 04:52:03 am

welcome to opnsense, link2019!

please post specifics about the problems you've encountered.  does your opnsense gui report whether or not the WAN interface has been issued a public IP by the D7000v2 or is it a non-routed IP (e.g. 10.x 192.168.x or 172.16.x)?

your setup is not very complex but there may be overlapping functionality you may need to account for--primarily NAT.

Title: Re: Newbie wanting some help with configuration
Post by: Link2019 on August 16, 2019, 07:17:36 am

Quote from: firewall on August 11, 2019, 04:52:03 am

welcome to opnsense, link2019!

please post specifics about the problems you've encountered.  does your opnsense gui report whether or not the WAN interface has been issued a public IP by the D7000v2 or is it a non-routed IP (e.g. 10.x 192.168.x or 172.16.x)?

your setup is not very complex but there may be overlapping functionality you may need to account for--primarily NAT.

Hi firewall thanks for your reply!

I did actually manage to get the firewall working and we now have access.
The netgear assigned a non-routed IP to the WAN 192.168.0.2
I have my router setup to DMZ straight to the WAN address. But I'm having an issue port forwarding. I have read and copied many examples but it seems the port won't open on the outside. 

When I run a port scan from the outside and look at my Logs > Live View I see the port scan run but it's denied
 
wan      Aug 16 06:14:32   52.202.215.126:34198   192.168.0.2:21   tcp   Default deny rule

I have attached two files showing my config - not sure where I'm going wrong.

Title: Re: Newbie wanting some help with configuration
Post by: banym on August 16, 2019, 05:54:34 pm

Hi Link2019,

welcome to OPNsense.
If you have a private network range on your WAN interface, you should disable this two options:

(https://forum.opnsense.org/index.php?action=dlattach;topic=13777.0;attach=7787)

Title: Re: Newbie wanting some help with configuration
Post by: Link2019 on August 16, 2019, 06:58:27 pm

Hi Banym,

Thanks for your message, I have done what you suggested but I still not see the ports open, also still seeing the deny rule appear when scanning the port.

I'm not sure if I have found the possible cause.. When looking under Log Files > Live View in the Column Titles at the top, Interface, Time, Source, Destination ect - Under Destination its listing the IP for the WAN Interface on the Firewall 192.168.0.2, Should that not be listing the IP for the device I'm trying to forward the ports to?

Title: Re: Newbie wanting some help with configuration
Post by: banym on August 16, 2019, 07:38:31 pm

Hey,

maybe you can explain or draw your environment some more.
What IP has your WAN / LAN etc.
How it's connected etc.

Some screenshots of the rules and NAT rules would be good, too.

Regards,

Dominik

Title: Re: Newbie wanting some help with configuration
Post by: Link2019 on August 16, 2019, 08:16:49 pm

Hey Dominik,

I have quickly drawn my network setup and attached some screen grabs from NAT > Port Forward and Rules.

It's not a complex setup at all - Obviously I have got something wrong somewhere.

I'm just going to check that when using DMZ that the NAT on the router is switched off. Other than that...I'm at a complete loss.

Regards
Adam

Title: Re: Newbie wanting some help with configuration
Post by: banym on August 16, 2019, 08:46:01 pm

Hi Adam,

your NAT rules is the problem.

You have defined the IP 192.168.1.111 as destination and nat. The destination should be your WAN IP. This destination is than translated to the NAT IP of your server on LAN side.

Hope this helps.

Regards,

Dominik

Title: Re: Newbie wanting some help with configuration
Post by: Link2019 on August 16, 2019, 09:14:15 pm

Hey Dominik

That seems to have done the job for port 21 but port 22 is still closed checked the settings against the rule for port 21 and there the same, so I'm not sure whats happening there.

Regards
Adam

Title: Re: Newbie wanting some help with configuration
Post by: banym on August 16, 2019, 09:24:45 pm

You're 100% sure the host behind is listening to 22?

Do you have other rules on WAN side to ssh into your firewall on port 22? If so change the port for the firewall itself to 2222 for example. You can do that under System->Settings->Administration

Otherwise sniff on the WAN interface to see where the traffic is dropped.

Title: Re: Newbie wanting some help with configuration
Post by: Link2019 on August 17, 2019, 09:00:28 am

Ah no my bad,

Port 22 was closed off on the NAS .

Thanks for your help!

Title: Re: Newbie wanting some help with configuration
Post by: tong2x on August 17, 2019, 10:10:53 am

just saw your diagram and you have dmz already..