OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: andrew11 on November 29, 2019, 07:48:29 am

Title: Trouble allowing traffic from WAN to internal network
Post by: andrew11 on November 29, 2019, 07:48:29 am

Hello,

I am currently working on a project for school, I am having some trouble getting traffic to travel from the wan network to the internal network. My deadline is coming up soon, so any help would be greatly appreciated.

So my network is as follows:
(FYI This is all done in virtualbox)

I have an OPNSense firewall with 3 NICS
DMZ (em2) - 192.168.2.1/24
LAN (em1) - 192.168.1.1/24
WAN (em0) - DHCP4: 192.168.50.244/24

Directly connected to the OPNSense DMZ interface is a Windows honeypot(DHCP) and a Windows Webserver (192.168.2.2), this Webserver hosts a simple website using http.

Directly connected to the LAN interface of the firewall is a router with 3 nics
External: 192.168.1.1 - connected to the firewall
LAN: 192.168.4.1 - domain controller and servers are on this network
LAN: 192.168.3.1 - Windows workstation is connected to this network

So I am currently experiencing two issues which I think may be related.

1)
I installed OpenVPN using the OpenVPN wizard in the web GUI for OPNSense. After installing I am able to successfully connect from my host machine. However after I connect I am unable to ping the local networks I specified in the VPN server which would be 192.168.4.0/24 and 192.168.3.0/24. I'm not sure if it is an issue with the firewall rules, they were created automatically when using the wizard to set up the server.

2)
I am unable to access the website hosted on the webserver in the DMZ even though I have specified rules in the firewall to allow http traffic from the wan to the DMZ. The website on the web server is a simple ip base website using the address 192.168.2.3.

My firewall rules are as follows:
WAN)
IPv4 TCP         Source:*    Port:*     Destination:DMZ Net          port:80(HTTP)             Gateway:*    Schedule:*
IPv4+6 UDP    Source:*    Port:*     Destination:WAN address    port:1194(OpenVPN)   Gateway:*    Schedule:*

OpenVPN)
IPv4+6*         Source:*    Port:*      Destination:*                    port:*                         Gateway:*    Schedule:*


I think I need to add some port forwarding rules in the firewall. I tried to add some port forwarding rules through NAT. I also attempted to set up a 1:1 NAT using a virtual IP that I set up in the Virtual IP section. Neither of these options seemed to work. Any suggestions would be greatly appreciated.

-Thanks

Title: Re: Trouble allowing traffic from WAN to internal network
Post by: andrew11 on November 29, 2019, 07:50:19 am

Update: I am not sure I set up the port forwarding rules correctly as I have never done it before, so any advice on that would be great too.

Title: Re: Trouble allowing traffic from WAN to internal network
Post by: banym on November 29, 2019, 11:45:34 am

Hi Andrew,

since you have a private network range on WAN you need to uncheck the block private networks option on the WAN interface.

Maybe allow ICMP echo request on the WAN interface to make it possible to ping the WAN interface to see if that works.
Please make some Screenshots from the NAT rules and post them here.
Make some Screenshots from the LAN and DMZ rules, too.

If you need to access the Webserver from your LAN you need to add the rules in the LAN section.
If you need to access the Webserver from WAN, you need to add the rules in the WAN section.
If want to access the Webserver from your WAN but you want to use the Firewall IP and make Portforwarding, you need to add the rules in NAT Section and the rule on WAN will be automatically generated by default.

Review all machines to have the correct default GW to be sure routing is not the problem.

Regards,

Dominik

Title: Re: Trouble allowing traffic from WAN to internal network
Post by: andrew11 on November 29, 2019, 08:59:21 pm

Hello again,

I originally did disable the block private networks option on the WAN interface, sorry I forgot to mention that. The issue still seems to occur.

I'm not sure how I can attach a screenshot to my post in this forum, I don't see an option for it.

I did add the following rule to my WAN to do some testing.
IPv4 ICMP    Source:*      Port:*         Destination:*         Gateway:*      Schedule:*
After adding this rule, I am still unable to ping the firewall or anything on the network from my host machine. I am also still unable to access the local networks specified in the server when connecting to OpenVPN.

This is the NAT port forwarding setting I added:
WAN    Proto:TCP    Source:*    Ports:*    Destination:192.168.50.244    Ports:80(HTTP)    NAT:192.168.2.3/24 Ports:80(HTTP)
I am still unable to access the website on the webserver hosted in the DMZ.

My other firewall rules are below

LAN)
IPv4        Source:192.168.3.0/24   Port:*   Destination:*              Port:*   Gateway:*    Schedule:*
IPv4TCP   Source:LAN net              Port:*   Destination:DMZ net   Port:*   Gateway:*    Schedule:*

DMZ)
BlockIPv4*   Source:DMZ net   Port:*   Destination:LAN net   Port:*   Gateway:*   Schedule:*
PassIPv4*     Source:DMZ net   Port:*   Destination:*            Port:*   Gateway:*    Schedule:*

I have confirmed all machines do have the correct default GW.

-Thanks Again

Andrew