OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Madifor on January 05, 2023, 11:15:26 am
-
I have 2 opnSense installations (FW1 & FW2) which are connected behind the Provider modem / router which means that the WAN ports get an (non routable) IPv4 address in the 192.168.1.x subnet range
I needed two installs as i have 2 seperate LAN segments which different functions which i wanted to be completed seperated (also physical). To make the post a little bit more readable i will use LAN1 and WAN1 for Fw1 and LAN2 and WAN2 for interfaces on the 2nd firewall.
When connected to LAN1 i can reach the GUI of FW1 and when connected to LAN2 i can reach the gui of FW2 normally as expected. But not able to reach the GUi of FW2 using its wan IP when connected to LAN1 and vice versa. I unticked "block private networks & block bogon networks" on both wan interfaces , i even added a rule on the WAN Firewall configuration allow any any , but still not able to access the gui.
Even tried to connect a pc to the same sub-net as the WAN interfaces , and still not able to access the gui on either of the WAN IP's.
Dont see any blocked traffic messages when checking the firewall logs.
I also tried the any source /any destination rule for HTTP & HTTPs traffic on the WAN Fw config , but still not possible to access the gui.
The only way to access the GUI on either of the 2 WAN IP's is by ticking the option disable firewall in the advanced firewall config...
I am a bit lost what is blocking / preventing me to access the gui.
Any help is appreciated to point me back to the right direction
-
you need to open your external port on the WAN1 or WAN2. by default open will "close" all ports.
you need to create a Firewall->NAT->port forward
which will open you wan ports...
this assume that your internet IP is also reachable and not blocked by your ISP
-
Added the port forward as suggessted , but still not able to reach it (when connected to the same 192.168.x.x subnet or try to reach the FW2 from FW1 LAN segment or FW1 from FW2 LAN Segment. Which is ofcourse not the same as the 'wan' sub-net.
-
I some one will still have a clue how to fix the connectivity issue (gaining access to the Firewall GUI from the Direct Internet subnet (See drawing)
Added a small / simple drawing to make it hopefully easier for anybody to understand the setup.
When ever i connect a pc to either LAN 1 / LAN 2 or the direct internet subnet all LANS i am NOT able to access the GUI using the WAN IP Address of the firewalls (Of course when connected to LAN 1 i can reach FW1 using its WAN IP , same is for when connected to LAN 2 then i can access WAN of FW2).
When disabeling Packet filtering from the gui i can reach theGUI from the Direct Internet subnet.
I am not new to networking but at this moment out of options how to solve it (besides starting configuring the firewalls from scratch again.
-
...your packages go out directly to the interwebs after NAT on the sense, hu? ;-)
-
That is not completely true as i have the pc connected tot the same lan segment as were the wan ports are connected (so directly on to the isp modem and receive an ip address in the same subnet.
All traffic from either lan networks passing the respective firewall will be translated / converted via NAT that is correct
-
how are these two firewalls connected to the modem, that "192.168.x.x subnet"? Is it a switch (managed one or not), or, as I imagine, each in a different port in the modem (which I imagine a modem/router in bridge mode).
-
They are connected to a managed switch , just like my 'test pc' for troubleshooting purposes.
all 4 ports (Connection to the ISP modem/router , the pc and 2 WAN connections are in the same switch vlan and i can ping from my pc ip of isp modem and also the ip addresses of the WAN interfaces...
Installed wireshark and put the gui to http so i can read the packets a little bit)
When i set in the advanced firewall settings :" Disable all packet filtering "(cleared browser cache / history and all)). I retry to open the gui,traffic flow goes smooth.
As soon as i unset the disable firewall option and try to open the portal. the gui isnt opened at all. and you will notice retransmits ... and page loading is failing..
-
This is screen shot of the same (loading the login screen) ./landing page of opnsense
-
First of all, I wouldn't configure it this way, I would use a tunnel between the two opnsenses and access GUI from the respective opposite LAN.
You can have a WAN rule allowing traffic from the "WANnet" to "WAN address" on HTTPS port. No port forward. Then at least the PC with an IP in the WAN range should be able to reach the GUI. If the two senses are on a switch, maybe the traffic between LAN1/2 and GUI2/1 should work without an outbound NAT rule...
-
I removed the port forward as this was a mis configuration.
I a single rul only on the want interface as advised unfortunately not able to get this working.
The remark of making a tunnel is definitely a good option to go for.
Trying to understand what is causing the issue I am facing.
Regards
Eddy
-
You moved the GUI back to https? The GUI is listening on WAN? Go for the tunnel, opening https on WAN is a very bad idea in my opinion.
-
To clear everything, on the isp modem there is no port forward configured to access the firewall gui from the internet
As far as I remember ,during the possibility to access the gui was working at the beginning,but for some reason (or some config issue), not able anymore and try to figure out why.
-
I might have found the root cause of the issue i am facing.
If I select the ISP modem as IPV4 upstream gateway (On the WAN Interface configuration)... I am not able access the gui any longer using the WAN IP (While connected to the same subnet as the WAN Interface).
When i Select Auto-detect as IPv4 Upstream Gateway , i can reach the gui , but then facing the issue that it is impossible to setup an inbound ipsec sec connection.