OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: bringha on July 17, 2016, 07:28:52 pm
-
Hi together,
I have a 4 port OPNsense mit a WAN, LAN, DMZ and an additional port for a Management Network which shall have access to the Internet over the Port OPT2 (named WLAN here, see rules). The firewall rules on this interface are as attached.
Connected to this port OPT2 is a server with the address 192.168.88.11, Gateway is 192.168.88.1, the gateway to the internet is 192.168.2.1. The server has 2 interfaces, the primary interface eno1 is connected to LAN (gateway 192.168.1.1), the alternate interface eno4 to the network 192.168.88.0. Consequently I have added on the server with iproute2 a second routing table (mng) and have added the necessary rules there:
controller# ip rule list
0: from all lookup local
32764: from all to 192.168.88.11 lookup mng
32765: from 192.168.88.11 lookup mng
32766: from all lookup main
32767: from all lookup default
In this second routing table I have configured:
controller# ip route list table mng
default via 192.168.88.1 dev eno4
192.168.88.0/24 dev eno4 scope link src 192.168.88.11
So: what works:
LAN works normal.
I can ping another server in the network 192.168.88.0.
I can ping the gateway:
controller# ping -I eno4 192.168.88.1
PING 192.168.88.1 (192.168.88.1) from 192.168.88.11 eno4: 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=1061 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=52.2 ms
64 bytes from 192.168.88.1: icmp_seq=3 ttl=64 time=59.7 ms
64 bytes from 192.168.88.1: icmp_seq=4 ttl=64 time=1059 ms
64 bytes from 192.168.88.1: icmp_seq=5 ttl=64 time=83.2 ms
64 bytes from 192.168.88.1: icmp_seq=6 ttl=64 time=90.8 ms
(Remarkable the large variety and duration of the ping ...), but I can't reach the WAN address:
controller# ping -I eno4 192.168.2.101
PING 192.168.2.101 (192.168.2.101) from 192.168.88.11 eno4: 56(84) bytes of data.
From 192.168.88.11 icmp_seq=1 Destination Host Unreachable
Obviously, there is a missing route in the opnsense between the gateway 192.168.88.1 and the WAN. Evidence for this is when executing on the server:
controller # ip neigh show
104.68.210.119 dev eno4 FAILED
192.168.88.31 dev eno4 lladdr 00:25:kk:mm:rr:a1 STALE
192.168.2.1 dev eno4 FAILED
104.108.187.66 dev eno4 FAILED
192.168.88.1 dev eno4 lladdr 00:17:ww:ff:ww:1c STALE
192.168.1.83 dev eno1 lladdr ac:87:ww:ff:nn:rr REACHABLE
192.168.2.101 dev eno4 FAILED
192.168.1.1 dev eno1 lladdr 00:17:nn:aa:bb:1a STALE
(...)
(Don't ask me why even LAN connections are stale 8)); BUT, a trace route command to an address in the internet shows
controller# traceroute -i eno4 www.nokia.com
traceroute to www.nokia.com (104.68.210.119), 30 hops max, 60 byte packets
1 192.168.88.1 (192.168.88.1) 57.456 ms 59.551 ms 59.545 ms
2 192.168.2.1 (192.168.2.1) 59.573 ms 59.611 ms 59.592 ms
3 217.0.117.111 (217.0.117.111) 59.684 ms 59.668 ms 59.659 ms
4 (...)
8 a104-68-210-119.deploy.static.akamaitechnologies.com (104.68.210.119) 187.744 ms 187.735 ms 187.724 ms
something really confusing here .... :o :-\
I don't understand why with the given firewall rules the WAN net cannot be reached. How can I fix that?
Does anybody has an idea?
Looking forward to your reply.
Br br