OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: TheBiGWall on April 16, 2022, 07:16:09 pm

Title: Bypass Firewall for one device?
Post by: TheBiGWall on April 16, 2022, 07:16:09 pm
Hello Everyone,

I'm having a minor issue with my current setup, and I haven't been able to find any fixes online; hoping someone can advise me here.

I'm running Opensense 22.1.6 (native hardware, this was happening on older versions.), and everything works fine but not my cable box when it comes to catching up on stuff, which is very odd.

When using my cable box and trying to watch catch up BBC Iplayer, four on-demand, they will load and never start, regardless of how much time has passed; I have checked the firewall logs in case anything is getting blocked, but I can't see anything that is out of place.

What's weird is that if I use any catch-up service on my Smart TV, mobile Device, or Computer, they work fine (everything runs through the firewall), with no issues, and everything loads straight away; when it comes to the cable box that's where the problems are.

I have a router that is set to modem mode (which means only LAN port one works and the rest is disabled)

I have tried this fix https://forum.netgate.com/topic/142848/pfsense-disabling-firewall-for-one-specific-ip (https://forum.netgate.com/topic/142848/pfsense-disabling-firewall-for-one-specific-ip) (I know this was a  pfsense fix). However, if I have both devices, the issue seems to be a "fight" for the WAN IP address, so only one device would get the WAN, and the other would never connect.

I thought about changing my modem to router mode, and I still have the same setup. But at least the cable box could "bypass" the firewall and go into LAN port two; I wasn't sure if this would miss up my Firewall config since router mode puts the device on 192.0.0.X; when using a firewall, it goes 192.168.1.x

My setup is:
Picture

(Devices -> Switch -> Firewall -> Modem -> WWW

Any advice would be much love
Thanks!

Notes: Both the cable box and router are from the same ISP.

ISP is Virgin Media.
Title: Re: Bypass Firewall for one device?
Post by: cookiemonster on April 16, 2022, 10:58:56 pm
and everything works fine but not my cable box when it comes to catching up on stuff, which is very odd.

When using my cable box and trying to watch catch up BBC Iplayer, four on-demand, they will load and never start, regardless of how much time has passed; I have checked the firewall logs in case anything is getting blocked, but I can't see anything that is out of place.

What's weird is that if I use any catch-up service on my Smart TV, mobile Device, or Computer, they work fine (everything runs through the firewall), with no issues, and everything loads straight away; when it comes to the cable box that's where the problems are.

I have a router that is set to modem mode (which means only LAN port one works and the rest is disabled)

ISP is Virgin Media.
Could you describe the problematic device better in terms of network and hardware/software, something to go on.
Title: Re: Bypass Firewall for one device?
Post by: EdwinKM on April 17, 2022, 09:54:08 am
I find i very difficult to follow. Also red the pfsense topic. It seems you decided a solution but we try to discover the real problem of the issue you want to solve.

You are probably creating a really big security hole.
Title: Re: Bypass Firewall for one device?
Post by: TheBiGWall on April 17, 2022, 06:12:35 pm
and everything works fine but not my cable box when it comes to catching up on stuff, which is very odd.

When using my cable box and trying to watch catch up BBC Iplayer, four on-demand, they will load and never start, regardless of how much time has passed; I have checked the firewall logs in case anything is getting blocked, but I can't see anything that is out of place.

What's weird is that if I use any catch-up service on my Smart TV, mobile Device, or Computer, they work fine (everything runs through the firewall), with no issues, and everything loads straight away; when it comes to the cable box that's where the problems are.

I have a router that is set to modem mode (which means only LAN port one works and the rest is disabled)

ISP is Virgin Media.
Could you describe the problematic device better in terms of network and hardware/software, something to go on.

Hi,

I was able to find a PDF "https://store.virginmedia.com/content/dam/eSales/corporate/VirginTVV6boxfactsheet.pdf" on the device itself; It's your standard TV Box sent by your ISP in the sense that you can't change much, and they control the updates and software.

Again, it works fine if the Cable box is plugged straight into the router (bypassing the firewall), but if plugged into the firewall, it won't load anything on catch up; my guess is since they own the box, network and router it must pass through a "portal" or some sorts. Again no idea, and I can't find anything on the logs to see what could be getting blocked, as the catch up works fine on my other intelligent devices, just not my cable box.
Title: Re: Bypass Firewall for one device?
Post by: TheBiGWall on April 17, 2022, 06:17:58 pm
I find i very difficult to follow. Also red the pfsense topic. It seems you decided a solution but we try to discover the real problem of the issue you want to solve.

You are probably creating a really big security hole.


Hi,

The issue is with that fix is " If you do not have more than one public IP, what your asking is just not possible." That's my issue. If I set my router into modem mode, only one LAN port works, and only one device can be contacted; even if I use a switch, the first device to get plugged in will get the Public IP address to where the other device would fail to get one.

If I were to change my modem back into router mode, all LAN ports would work, and I could set it up like that. But I'm worried this might mess up my firewall as everything would run differently.

"In short, modem only mode turns off all router functions except for the modem."
"https://www.netxl.com/blog/networking/can-i-replace-my-virgin-media-router/"
Title: Re: Bypass Firewall for one device?
Post by: cookiemonster on April 17, 2022, 11:03:18 pm
Right, I think I get what the problem is now.
What you have described is a setup where you have put your ISP-provided all-in-one consumer router into a modem-only mode. All fine there. You then have OPN getting the WAN ip from the "modem". You then have setup your network and services in OPN and  you have a switch where your LAN clients connect.
Then you have a set top box where only catch up TV times out.
So you need to focus on the network traffic from the set-top-box (STB).
Does it get an IP address from OPN and otherwise network-wise everything else is working?
Yes, it might be an idea to "bypass the firewall" but it's not known what the problem is yet. Does the STB have a diagnostics function you could start, see if it shows clues like DNS failing?
Otherwise you'll need to inspect the traffic. What you can do is change the default logging to show more, narrow down the live logs to the STB ip address and see what it shows when it fails (timeout).
Title: Re: Bypass Firewall for one device?
Post by: TheBiGWall on May 16, 2022, 11:08:51 pm
Right, I think I get what the problem is now.
What you have described is a setup where you have put your ISP-provided all-in-one consumer router into a modem-only mode. All fine there. You then have OPN getting the WAN ip from the "modem". You then have setup your network and services in OPN and  you have a switch where your LAN clients connect.
Then you have a set top box where only catch up TV times out.
So you need to focus on the network traffic from the set-top-box (STB).
Does it get an IP address from OPN and otherwise network-wise everything else is working?
Yes, it might be an idea to "bypass the firewall" but it's not known what the problem is yet. Does the STB have a diagnostics function you could start, see if it shows clues like DNS failing?
Otherwise you'll need to inspect the traffic. What you can do is change the default logging to show more, narrow down the live logs to the STB ip address and see what it shows when it fails (timeout).

Hey Cookie Monster,

Sadly, I am sorry for my late response work, and life got in my way. Indeed you're correct. That is my setup, I did try the "bypass" method by putting my modem back into router mode, and everything worked. The Firewall got the WAN: 192.168.1.1, and the STB worked like a charm. However, I had issues with port forwarding and other issues, so I changed it.


The STB has no issue in getting an IP address and or accessing the internet; on closer look, BBC Iplayer works fine! It's just the others failed to load; when the Firewall was "off", I noticed that those players had ads, and then the show would start.

I'm thinking my Firewall isn't blocking the shows but the ads that play first; as I have some plug-is enabled, I will try your "change the default logging to show more, narrow down the live logs to the STB IP address" and report back to you. Again sorry for the lateness of this message :(
Title: Re: Bypass Firewall for one device?
Post by: TheBiGWall on June 10, 2022, 10:38:00 pm
Sorry for the bump here.

I just wanted to update and say I got everything working (well, it still needs more work).

I tried to watch TV again with the TV box, and sadly the same issue went onto the firewall and disabled the Blocklist in Unbound DNS.

(https://i.ibb.co/HVmpzjJ/2022-06-10-21-35-55-Blocklist-Unbound-DNS-Services-Venus-home-network-io-Mozilla-Firefox.png)

Again, sorry to bump this; I just wanted others to know to encase they run into the same issue. Now I need to find out what ads should be allowed listed, lol.

Thank you!
Title: Re: Bypass Firewall for one device?
Post by: cookiemonster on June 10, 2022, 11:09:53 pm
Sounds like you discovered the problem then, the ad blocklists get in the way. I take it when you disabled them, that problem went away. You're in the game then.
If that's the case, then I have a suggestion. The rationale is that the ones you have in Unbound, to my knowledge, don't have an easy way to exclude elements from the list. Other ad blockers do.
The suggestion is to replace these with the AdGuard plugin from mimugmail. With it, using a UI you can exclude the STB from all lists.
It is another complication in the overall setup but well worth the trouble.