Post by: alh on August 12, 2020, 09:01:52 am
I tried deleting all port forwards, rebooting, re-creating them but to no avail. How to fix this?
Post by: secgeek on August 12, 2020, 09:13:25 am
Have just for testing a TS3 Server Up and running with my other Firewall everything works and with a new install of opnsense with correct Checksum there is no chance. Have outbound NAT and Reflection activated in the settings. Connecting established from outside gets by NAT to the correct IP an Port but nothing goes out. Can connect to the server from my LAN without problems and as I told can connect from outside through my other Firewall without Problems.
Greetings looking forward to hear from you guys.
Post by: Vilhonator on August 12, 2020, 11:52:00 am
It is possible that your servers IP has changed.
https://mxtoolbox.com/ <---- run checkup for your domain on there and check what issues it finds, (there usually are few issues there)
Post by: secgeek on August 12, 2020, 12:05:01 pm
Did you make sure DNS records are correct?In my situation, the other services are working fine, only the one I want to route through opnsense is not working.
It is possible that your servers IP has changed.
https://mxtoolbox.com/ <---- run checkup for your domain on there and check what issues it finds, (there usually are few issues there)
If I do a Package Capture or look at the states table, the Connection is initialized.
So DNS is working absolutely fine.
It seems to be a problem with opnsense.
Post by: Vilhonator on August 12, 2020, 02:40:32 pm
- Type of setup on your OpnSense. Do you have 1 WAN and 1 LAN interface, 1 WAN, 2 LAN interfaces with separate networks or 2 WAN ports and 1 or more LAN ports?
- Have you setup static local IP to your server on OpnSense, or is it connected to router which is or isn't connected to your opnsense?
- Have you created any static routes on your OpnSense?
- What is the issue? Sending mail from domain mail to gmail or other mail providers, receiving mail from gmail or other providers to your domain mail or both?
- Have you setup DNS records on OpnSense, are they managed by registrar or do you run physical or virtual DNS server?
Post by: alh on August 12, 2020, 03:14:37 pm
1. Speedport Router of Deutsche Telekom (so double NAT)
2. OPNsense with 1 WAN port (static) in Subnet of Speedport
3. OPNsense with 1 LAN port (static, several VLANs)
- EVERYTHING from inside LAN/VLAN works perfectly fine.
- Port forwards from Speedport to OPNsense works fine and I can access ALL services hosted on the OPNsense (WireGuard, OpenVPN, IPsec).
- Port forwards from OPNsense to host in a LAN/VLAN does not work (port doesn't matter).
Post by: Vilhonator on August 12, 2020, 04:14:47 pm
First backup everything.
Then Go to Firewall -> Rules -> and see if there are any interfaces called VLAN 1 etc. Then click WAN, add new rule and set allow all from source VLANX /LANX (name of the interface or VLAN networks belong to) and set destination to WAN net and you are done.
Post by: alh on August 12, 2020, 04:18:07 pm
It is a simple straightforward port forward. Nothing fancy here. Every 50,- € router can do that...
Post by: Vilhonator on August 12, 2020, 04:55:26 pm
Quote
Why would I need an extra rule for that? Also the reply is straight to the clients public IP, so I fail to understand why I would need to allow all traffic to WAN net from VLAN net..
If you have more than 1 public IP addresses in use, easiest way to do forward connections is to create Firewall rule for WAN network. To forward requests to different public IP, your client needs to be connected to network, which has access to WAN network (not WAN address).
Now if both are using same public IP, then you need to connect both on LAN ports and create Routes, another option is to disable dhcp on either one and connect it to same network.
Post by: Vilhonator on August 12, 2020, 05:11:11 pm
NAT Port forwarding or network address translation port forwarding will forward all specified connections to addresses on networks, which are routed.
Public IPs don't work on port forwarding.
Reason why instructions STRONGLY advice you, not to delete the fail safe rules, created automatically once you assign first LAN and Wan port on opnsense, is because if you do, you won't be able to manage opnsense via webgui or ssh and LAN interface gets blocked from WAN network (by default, opnsense blocks private network connections to WAN and you won't be able to disable it, unless you have 2 or more WAN ports just like shown on the image below
(https://cdn1.bbcode0.com/uploads/2020/8/12/2b8123800171720db5025c15878a3628-full.jpg) (https:///) (https://imggmi.com)
Post by: alh on August 12, 2020, 06:08:31 pm
As I said, the setup is as simple as it gets:
Internet -> TCP 993 -> Speedport (10.0.1.1) -> TCP 993 -> OPNsense (WAN 10.0.1.254) -> TCP 993 -> OPNsense (LAN 10.0.2.254) -> TCP 993 -> Server (10.0.2.10)
There is masquerading towards WAN because this stupid Speedport cannot do anything.
TCP packages arrive on WAN port 993 of the OPNsense, get forwarded to LAN and the Server. The reply from the server arrives at LAN of the OPNsense and is NOT forwarded back to WAN. IMHO this reply is part of an established/related connection of initial connection from outside. There is absolutely no need for me to open all ports from Server to WAN.
As said before this works on all other OPNsense installations I have, running 20.1.x though.
Maybe just wait for 20.7.1 to arrive the next days and see if it is fixed.
Post by: Vilhonator on August 12, 2020, 08:12:31 pm
Port forwarding is something NAT uses and it has nothing to do with Firewall rules (though port forwarding rules are shown on Firewall rules).
Let's just say your webserver (which has to be open to public) is getting DoS attack. Because NAT is only forwarding traffic to that server, it can be exploited. How do you think your firewall is blocking connections from specific sources, without restricting access from others? VIA FIREWALL RULES.
If you create WAN rule allowing all incoming connections from WAN to your PC, people are able to connect to your PC, but your PC won't be able to connect to the internet or any other network, which routes via WAN.
Outgoing rule enables internet access but not incoming connections, so you won't be able to download anything..
You open port 80 to your PC, unless your PC is running program which connects to internet or local area network on tcp port 80 or hosting webserver listening tcp port 80 and OS firewall is allowing incoming connections from TCP 80 port and from any remote source, nothing happens because your PCs IP isn't listening TCP port 80.
How do you block students from accessing facebook but not teachers? By creating an alias, which consists all facebook domains, create WAN rule which blocks connection from student network to alias consisting facebook hosts. That way any computer connected to student network won't be able to connect to facebook, even if they try switching dns servers.
How do you prevent students from manually changing IP address of PC belonging to student network? By creating rule on teacher network that interface beloning to student network has no access to teacher network.
How do you allow student network to gain access to webserver showing time tables hosted on server belonging to teacher networ? By creating rule allowing HTTP and/or HTTPs connections from student network to teacher network and creating portforwarding rule which forwards incoming HTTP and/or HTTPS request from student network IP block(s) to the host server.
How do you forward dns requests to their specified networks, without opening networks to eachother? By creating Rule on each network forwarding dns requests to main gateway which in return forwards traffic based on source address and ports to certain destination on certain ports.
This all is something which ANY router with built in firewall and NAT can do, you don't need high end router which costs 1 000€+ to do this. All you need is a router with firewall which allows you to setup firewall rule from IP -> from port start - from port end -> destination IP -> destination port start -> destination port end. (Yea, terms might be bit different depending on brand, but) In fact you can do that on Windows Firewall if you feel crazy enough wanting to fool around with it.
Post by: secgeek on August 12, 2020, 09:37:23 pm
I did some research on another site as I figured out did not used opnsense as the default Gateway. So this was my ( little) Problem.
Greetings
Post by: alh on August 12, 2020, 10:23:55 pm
Post by: secgeek on August 13, 2020, 09:18:21 am
As I said, I don't think we understand each other. And if it is true what you say/suggest these dropped packets should show up in the firewall log. They don't.1. Did you noticed we are 3 people in this thread.
2. My Problem was the endpoint configuration. Default Gateway was false. Didn't see anything in the Firewall log but now I can see them and the connection is established. So your suggestions is wrong.
Post by: alh on August 13, 2020, 09:20:01 am
Post by: secgeek on August 13, 2020, 09:32:32 am
I have the server now in an VLAN and where the Firewall is the Default Gateway, and did a static configuration of the server where I have to set the Default Gateway manually as i did it static.
Then I setup a Port Forwarding with the same protocol as the server(UDP for me),
source have to be any,
destination has to be WAN Address and the right Port( the same you setup as Portweiterleitung in the Speedport).
Redirecting to the server IP and the right port.
Selected NAT = enabled and did all this for the WAN Interface.
I did not check your details mentioned above, please check your settings by yourself and youse a different Network for your VLANs.
If your LAN is on
192.168.50.0/24
Your VLAN should be an a different Subnet like:
VLAN 250
192.168.250.0/24
It doesn't need to be a 24 Subnet(Class C) it could be another as well but it makes things easier because most people use these standards.
You don't need any additional rules they are only security risks.
Greetings
Looking forward to hear from you.
Post by: alh on August 13, 2020, 10:02:15 am
Post by: secgeek on August 13, 2020, 10:23:51 am
Gateway, VLAN config etc. is fine. Everything works from the LAN/VLANs as intended. The only issue I have is that the port forward does not work. It actually does work in the sense that requests are forwarded to the server but the reply of the server is not travelling back through the Firewall. So the client just times out. If a client from LAN connects to the server in VLANx it works perfectly fine. But then this is simple routing and not DNAT.
This is the exact same Problem I had.
Do you have multiple DHCP-Servers on the Network where the service lives?
It could be that locally you can connect but the configuration of the Server is using just the same Network Gateway as your client but when it the connection comes from the outside the Gateway of your server have to be the Firewall that is getting the connection from the outside.
Did you checked your Port forwarding rules make sure the interface is set to WAN and no source is setup maybe delete the rule and re enter it this could help with settings you did for your system.
You can go to the Outbound NAT and make sure there is the VLAN added automatically to the Outbound NAT Rules.
Greetings
Looking forward to hear from you
Post by: alh on August 13, 2020, 11:24:27 am
Post by: alh on August 13, 2020, 10:32:41 pm
However, port randomization confuses the Speedport router. I had to add rules to outbound NAT to enable static port on the forwarded ports. Strangely enough, I had to do this with source any instead of only the server... but that is maybe a lack of understanding from myself.
Post by: secgeek on August 14, 2020, 07:22:08 am
Okay so you are Posten in the 20.7 Forum so everybody assumes you have at least 20.7 installed there are some major differences.
Secondly just change your Outbound NAT to Hybrid and delete the Any to any Rule, this way you can do your own rules and do not miss the right rules and the any to any Rule is wrong.
If you have a strong point about not using the Hybrid or automatic mode, just use the hybrid mode for the moment you can rebuild your manual rules afterwards.
After changing the Outbound NAT to Hybrid mode and applying everything do a reboot because opnsense have to rebuild the rules and the reboot makes everything faster.
I think after the reboot and if your Servers/Clients are configured the right way your Problems should be gone.
Greetings
Looking forward to hear from you
PS: you have to delete and rebuild your NAT forward rules with NAT reflection and associated rules enabled, after the reboot.
Post by: alh on August 14, 2020, 09:19:48 am