OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Ludovik on July 27, 2016, 10:57:40 pm

Title: Issue on WAN filter
Post by: Ludovik on July 27, 2016, 10:57:40 pm

Hi All,

I have the following issue on all 3 opnsense version that I installed: 16.1.20 , 16.1.8 , 16.7-RC2.

Enviroment:
VM with 2 interfaces on VMware Workstation 11.
em0 interface is bridged with eth0 of my PC, connected to my home router.
em1 interface is an isolated one on the VMware

Configuration:
em0 -> WAN -> DHCP Assigned Address -> 192.168.0.116      (GW: 192.168.0.1 <- my home router)
em1 -> LAN -> Static IP -> 10.10.5.1/24 with a DHCP Server with range 10.10.5.200-220

I add the firewall rule on WAN

Protocol: any
Src: any
Dst: any
Action: pass

From my router (192.168.0.1)  I'm unable to ping WAN (192.168.0.116).
From another PC (192.168.0.22) I'm unable to ping WAN (192.168.0.116)
From WAN I'm able to ping my router and other PC in subnet.
I unchecked "block rfc1918" and "block logon network", tried to put a more specific rule for ICMP on WAN and rebooted VM, but nothing changed.
With Pfsense the same configuration in the same enviroment, works as expected, replying to ICMP, so it cannot be the enviroment.
It seems that there's something wrong on the outgoing rules of WAN pf.
Looking tcpdump inside opnsense I'm seeing ICMP request and reply, but it doesn't leave the WAN interface.
Obviously It works when I manually disable pf.
This issue affect every packet sent to the WAN interface, not only icmp.

Here you can find

opnsense /tmp/rules.debug file
http://pastebin.com/eHcCMX7k

pfsense /tmp/rules.debug  file
http://pastebin.com/u4xi1Wvk

and opnsense backup configuration
http://pastebin.com/n2SYKpvb

Is there someone that already find this issue or is there something I'm not doing on the right way?
Thanks in advance.

Title: Re: Issue on WAN filter
Post by: silent_mastodon on July 28, 2016, 05:56:34 am

As you can see from my thread

https://forum.opnsense.org/index.php?topic=3372.0

I had a similar issue.

However, I was able to make ICMP packets work by doing as you did, disabling the RFC1918 block and inserting the proper firewall rule to allow IPv4 ICMP protocol packets on the WAN interface. I'm not sure why it isn't working in your case.

In any event, it seems from your post, mine, and several others I've found in search that there is some sort of issue with opnsense when used in a VM and behind another router, and thus interacting with private networks on both sides. I should have just turned the NAT off and operated in pure firewall mode since there wasn't actually any need of the NAT in the first place, but I've already moved on to another product to get my lab VM operational.

I guess pfSense is using different defaults, or subtlely different configuration that doesn't allow users to misconfigure the router in these circumstances? No idea.