OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: senseivita on September 28, 2020, 03:19:23 am

Title: Problem with NAT, firewall is blocking traffic
Post by: senseivita on September 28, 2020, 03:19:23 am

[See the attached diagram]

[Ready?… OK. Last time I was told I should attrach screenshots or something :)]

Hey all,

What you're seeing there is a rough approximation of the network. I'm moving from another platform where the firewall was responsible for maintaining a site-to-site link to a remote firewall. The purpose of this is getting a static IPv4 address, which my ISP no longer offers.

Anyway, S2S works, there's full communication and I'm even collecting SNMP data from the interfaces on the remote site. The problem is that OPNsense doesn't let traffic go out. I located the states and only one side is established. subsequent states are waiting. The only thing I could come up with is allowing traffic out from the interface where the server is, but it makes no sense, there's should be no need to allow traffic out if there's a inbound rule/port-forward that should allow the server reply if requested.

The subnet where the server lives has rules to allow only traffic to RFC1918 and RFC1918v6 (a misnomer for my /48) networks and ICMP to everywhere. It has no specific blocks, none of the interfaces have. I skipped using the interface that's autodesginated as "LAN" by the setup wizard because it's sort of unclear if it blocks by default as secondary LANs do.

Where could I look for more information for this in the box? -- I already made basic troubleshooting, checked that the servers have a the correct gateway, that they can reach the Internet via the tunnel (allowing traffic temporarily) and locally and the other tunnel, firewall optimization is set to conservative. Everything checks out, I'm lost here. :/ The only thing I noticed is that latency  (gateway monitoring) is off the charts, about 400-550ms, it was never this high before. But, there is no packet loss and actually doing pings FROM a server reports something like 30-40ms.

Title: Re: Problem with NAT, firewall is blocking traffic
Post by: senseivita on September 28, 2020, 03:20:19 am

[forgot the attachment!  ;D]

Title: Re: Problem with NAT, firewall is blocking traffic
Post by: senseivita on September 28, 2020, 06:51:54 am

...nevermind, it is not my config, I just discovered it will not work on directly connected interfaces either.

Why would you put out a product that can't handle the basics thought, it hurts perception. Now I'm officially done with OPNsense it's been a massive waste of time and loss of data. :/ Back to the boring but reliable pfSense.