OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: laterizi on December 28, 2022, 06:48:18 pm
-
Hello everyone. I have a strange configuration (the customer told me how he wanted it) that i can't get to work as i would like.
He has a single gateway, a modem/router provided by the ISP, with internal address 192.168.64.1 and an OPNsense box with WAN interface 192.168.64.15.
This has two separate LAN interfaces, one with address 192.168.32.1 (LAN interface) and another with address 192.168.48.1 (OPT1 interface). For some strange reason, all PCs on the LAN must communicate with PCs on the OPT1 network and vice versa.
Right now, recently installed, OPNsense makes the PCs on the LAN OPT1 network communicate with those on the OPT1 LAN network, but those on the OPT1 LAN network do not communicate with those on the LAN OPT1 network. No further changes have been made.
It would be necessary to have the PCs on the OPT1 LAN network communicate with those on the LAN OPT1 network and, when desired, to be able to isolate the two networks quickly (which is strange, but so much is).
Can you help me with this?
Gianluca
-
Make sure that under Firewall Rules for OPT1 you allow communication from the OPT1 net to everything or at least LAN net.
-
Make sure that under Firewall Rules for OPT1 you allow communication from the OPT1 net to everything or at least LAN net.
(https://i.ibb.co/LQ2t4KY/Immagine-2022-12-28-210900.jpg) (https://ibb.co/SQ9nqS5)
(https://i.ibb.co/xMN9TyP/Immagine-2022-12-28-210840.jpg) (https://ibb.co/fCs6wbB)
-
I don't mean this as harsh as it might sound, but are you sure they can't communicate? How are you testing? Are you sure local firewalls (i.e.,windows firewall) aren't blocking at the device level, that's caught me a few times? What are you seeing in the live logs in OPNsense?
-
Maybe you problem is
Firewall: Settings: Advanced: Disable reply-to
try to activate it.
-
Disable windows / Mac / Linux firewall on 2 machines connected to both networks (1 network each), then try to send ICMP (ping) packet to eachother, if it works, then all is fine and culprit is the firewall of the OS on the machines in question.
If ping doesn't work, despite disabling firewall on both computers, make sure OpnSense has all as should (no firewall rules blocking anything etc.)
Backup everything, and hen add the local IP of the LAN interface of opnsense to gateways, then go to routes and add new route: Network is 192.168.0.0/16 and gateway is LAN
save changes and reboot opnsense, if you loose internet connection and can't connect to web gui of Opnsense, then revert back to backup you made, if not, then try to ping something on the different network.
If you aren't able to ping any computer belonging to a different network, there's either a firewall blocking it, or routing isn't configured properly (which is most likely the case, since by default, you have to manually create routes to each network other than LAN. 192.168.32.0 and 192.168.48.0 with subnet mask 255.255.255.0 belong to 192.168.0.0/16 netblock, so does your WAN, so you might loose connectivity in which case you have to assign different IP like 172.10.1.1 and 172.10.2.1 for LAN and OPT for simple routing and check the block both belong to to fix the issue)
-
Maybe you problem is
Firewall: Settings: Advanced: Disable reply-to
try to activate it.
(https://i.ibb.co/QFCzrZb/Immagine-2022-12-29-093517.jpg) (https://ibb.co/LzJbnMk)
Has already been activated.
-
How are you testing?
I tried pinging or connecting to a shared folder. The PCs do not respond to the ping, but they connect to the shared folders.
(https://i.ibb.co/289SZ8K/Immagine-2022-12-29-094036.jpg) (https://ibb.co/Q8gkD8m)
(https://i.ibb.co/XXhNTQx/Immagine-2022-12-29-093949.jpg) (https://ibb.co/ZdntCjz)
(https://i.ibb.co/r2P9Lcd/Immagine-2022-12-29-093855.jpg) (https://ibb.co/jkKtxWJ)
(https://i.ibb.co/ydpTn8f/Immagine-2022-12-29-093819.jpg) (https://ibb.co/XjDBZz2)
Are you sure local firewalls (i.e.,windows firewall) aren't blocking at the device level, that's caught me a few times?
The PCs' firewalls are temporarily disabled so as not to create interference.
(https://i.ibb.co/StbMCst/Immagine-2022-12-29-092822.jpg) (https://imgbb.com/)
(https://i.ibb.co/q5GcHf3/Immagine-2022-12-29-092731.jpg) (https://imgbb.com/)
-
If ping doesn't work, despite disabling firewall on both computers, make sure OpnSense has all as should (no firewall rules blocking anything etc.)...
From what I have shown above it seems to be only a ping problem. As you can see, trying to connect to shared folders of the PCs on the other network, the PCs connect. At this point it really seems to be only a ping problem. For example, you can connect to an http server of one of the pc's on the other network:
(https://i.ibb.co/pQNGDMV/Immagine-2022-12-29-101453.jpg) (https://ibb.co/RNtZnsr)
(https://i.ibb.co/YWDQPPY/Immagine-2022-12-29-101401.jpg) (https://ibb.co/268hWWm)
-
Seems that all is as should be.
It is good idea to block ICMP and network access to web gui and ssh of your opnsense firewall and any possible switches (basically to everything, network in question doesn't need access to), this adds another level of security to your network (without them, anyone can just access webgui or ssh on opnsense and try breaking things. Ping is bad idea to enable, becuase with it, people are able to find out any possible computers on any network etc. Ping on client side of things, is used to test if internet works, that's pretty much all)
-
Seems that all is as should be.
Okay, it looks like it's just a big misunderstanding, everything seems to be working properly. But but it is still possible from the OPT1 network to ping any PC in the LAN, but not vice versa. I would like to understand how to enable or disable pinging between hosts on the two networks at my convenience. The rule below should block ping from the OPT1 network to the LAN, and instead it continues to work. What am I doing wrong?
(https://i.ibb.co/JxKksDT/Immagine-2022-12-29-114504.jpg) (https://ibb.co/0BcJGHL)
-
There are few ways you can do it. You will need static IPv4 or IPv6 address for the machine that you use to manage networks, preferably on the LAN network.
- Go to Firewall ---> Aliases and create new alias (click tiny + icon at the right side of the alias list)
Give description to your alias (for example management)
On Type choose host, and on Value type IP address of the machine you want to allow.
After that, you can save and apply changes, then go to Firewall ---> Rules ---> OPT1 and add new rule.
On action, choose pass, interface is OPT1 (should be there by default), TCP/IP version should be IPv4 (or which version your machine uses), Protocol is ICMP, ICMP type any, Source is name of the alias you just created, destination OPT1 Address.
Enable logging, type appropriate description on the description field, Save, then move the new rule on top of the list (click the check box on the left side of the rule and then small arrow next to rule which is on the top) and click apply changes.
Next clone rule you just made (can be found on the right side next to the rule), this time action is Block, source OPT1 net, Description again something that tells right away what is going on, then save and finally click apply changes
See if it works by pinging OPT1 address from management machine and any machine connected to OPT1 network, if Management is able to ping, but OPT1 isn't, it works
- Second way to do this, doesn't require IP or anything, you only have to create alias of ports 443, 22 and 80 and create similar block rule on OPT1 network, just protocol type is any, destination should be this firewall" and destination port should be port alias you created
This enables you to use ssh connection from management machine to opnsense and you can ping, traceroute, connect to etc to any machine on any network from there (this is why you should block ssh from any sources that you don't want to allow gaining access to firewall).
P.S. sorry for messed up answer ^^'
-
If Pinging on the management machine doesn't work, make sure that you have "Log packets matched from the default block rules put in the ruleset" in System ---> Settings ---> Logging, then go to Firewall ---> Log Files ---> Live view. You should see bunch of blocks coming in which is normal, note the interface, Source and Destination, these come important later.
then open command prompt on the management machine and type ping -t [ip address of OPT1] and see, if there's any logs on live view of opnsense, if nothing shows up blocking that nor allowing things from LAN interface to OPT1 Address, then I would try out creating a route, but would advice you to ask someone with more knowledge, since that would make things way too much work (whole firewall rule thing would have to be done to LAN network not to mention, and routing can bring more headaches as well)
If all works well, you can disable the "Log packets matched from the default block rules put in the ruleset" and firewall live log view only shows matched rules, which have logging enabled on firewall rules section.
-
P.S. sorry for messed up answer ^^'
Vilhonator, are you kidding? :D Thank you very much for all the information you are giving me!!!
I read the solution you proposed, but I think I need something simpler: I just want to disable ping from OPT1 network hosts to LAN hosts and vice versa. Or enable it when it should be necessary. Nothing more. And the rule I have set doesn't work and I would like to know why...
(https://i.ibb.co/JxKksDT/Immagine-2022-12-29-114504.jpg) (https://ibb.co/0BcJGHL)
Thanks again for everything!
Gianluca
-
According to picture, your firewall rule is blocking all incoming ICMP traffic from OPT1 net to LAN net.
Disable the rule and test if things work as you want. If it works, and you don't mind about networks being able to ping any client etc. then you can leave it there and enable the block rule again.
If you don't want to allow ICMP to all clients between the two networks, then you have to create host alias, which contains all the IPs of your host machines you want allow the ping to, clone the block rule, change Block to pass and switch destination to name of the alias you just created. After that save and move the new rule above the block rule and click apply changes.
Now everytime pass rule is active, all clients are able to ping only hosts which IPs are listed on the alias, when you disable the rule, pings to any host are being blocked.
Might sound complicated, but it's very simple really, the priority how firewall (by default) applies the rules goes from top to bottom, so you just need to make sure, that there aren't any blocking or allowing rules which conflict with eachother.
Aliases are GREAT way to ease up rule creation and portforwarding, without them, you would have to create a rule for each IP, port etc. separately, when you have to create port forwarding or firewall rule which contains specific IPs or ports.
https://docs.opnsense.org/manual/how-tos/edrop.html is gives you good idea what I mean xD
-
Oh also reason why aren't necessarily able to ping way you want, is the fact that your firewall is missing " Default allow LAN to any rule"
Firewall will always block any traffic unless you create a rule which dictates otherwise.
Default allow LAN to any rule is required for internet and local connections. Opnsense only creates anti lockout rules automatically to LAN when you assign it, which is why you are able to access opnsense web gui and ssh server.
So basically LAN should be looking like as the picture show, with just default values (at least when opnsenses WAN port is directly connected to the internet).
Any other network you add, will require IPv4 rule to gain access to internet and own network etc. using IPv4 and IPv6 for IPv6 networks (which you can safely delete unless you need IPv6 addresses)
-
The rule is working as I would like, but something is not going exactly as I expect.
Let's go in steps:
- from the LAN hosts I block all ICMP packets to the OPT1 hosts.
- from the OPT1 hosts I block all ICMP packets to the hosts of LAN
- I apply the rules
- firewall -> diagnostics -> states -> actions -> reset state table
After that the rules work.
Unexpected behavior, however, when I want to re-enable ICMP packet transit.
- from the LAN hosts I allow all ICMP packets to the OPT1 hosts
- from the OPT1 hosts I allow all ICMP packets to the hosts of LAN.
- I apply the rules
At this point only one of the two works. I have now made 5 attempts as described and the ping works 4 times for LAN and 1 time for OPT1. Almost like it was a random thing.
Forgive me, this sounds strange, but it is happening.
Gianluca
-
The rules are already in place to allow all traffic for those networks and the block to ICMP is on top of them...
(https://i.ibb.co/vd5FSs6/Immagine-2022-12-29-144628.jpg) (https://ibb.co/wQHkfJF)
(https://i.ibb.co/kx2XtLr/Immagine-2022-12-29-144553.jpg) (https://ibb.co/0cyrx0W)
-
Let's go in steps:
- from the LAN hosts I block all ICMP packets to the OPT1 hosts.
- from the OPT1 hosts I block all ICMP packets to the hosts of LAN
- I apply the rules
- firewall -> diagnostics -> states -> actions -> reset state table
After that the rules work.
Unexpected behavior, however, when I want to re-enable ICMP packet transit.
- from the LAN hosts I allow all ICMP packets to the OPT1 hosts
- from the OPT1 hosts I allow all ICMP packets to the hosts of LAN.
- I apply the rules
At this point only one of the two works. I have now made 5 attempts as described and the ping works 4 times for LAN and 1 time for OPT1. Almost like it was a random thing.
Forgive me, this sounds strange, but it is happening.
Gianluca
Yea the issue isn't Firewall rules, sorry, but that issue is beyond my understanding of how to fix. It could be route connections on OPT1 which causes slow enough response causing time out but not sure.
If try out nslookup IP address of one of the hosts on LAN, copy the name of it and from OPT1 host, ping name of the host in LAN and the IP of the host and see if there are any difference.
Also sometimes my opnsense wasn't able to connect to my truenas, so I had to add override to DNS, which worked, so you can go to services ---> Unbound DNS ---> Overrides and add all hosts to the top of the list like I have added my truenas and see if that works (though it must be FQDN of the server or you might get certificate warnings etc.)
-
If ping works perfectly every time you type IP address and Opnsense is hosting DHCP, then go to services ---> unbound DNS ---> Settings and check "Register DHCP leases" and "Register DHCP static mappings" options.
This way you can check from "leases" the hostname of each device connected to opnsense and which recieves IP from opnsenses DHCP server.
Be carefull though, messing with DNS settings is always trial and error kind of thing. So I would rather ask help from someone who knows things which could be causing the issue you have, better than I do
-
Sorry forgot to add the picture of overrides and general rules