OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: king-dude on November 16, 2016, 04:18:21 pm

Title: Broken Bridge/Transparent firewall functions?
Post by: king-dude on November 16, 2016, 04:18:21 pm
Hi, Let me start with today i have a old monowall firewall that have a working bridge with firewalling.

The setup is really simple
WAN that is GW for LAN
OPT1 that is also bridge with WAN. (This interface have not an IP address)

So behind OPT1 I have servers and all those servers can run whatever protocol from OPT1 to WAN/Internet.
And on the WAN side I block everything except some ports to different servers on OPT1 Interface.

Now I was thinking to replace that old monowall with something never like OPNsense and here the adventure begins…

So before I install this firewall in the datacenter I want to test it on the outside of my firewall at work.
First off all I have a really strange thing with the OPNsense firewall intercept IPSEC traffic that is passing true. (OPNsense is not doing the IPSEC tunnel its just passing true the firewall) and its just vanish in to thin air. And its not all the traffic in the tunnel just some.

So struggling with that somehow I get it to work(see my other post https://forum.opnsense.org/index.php?topic=3916.0) but only if I have a firewall rule that says ANY to ANY.

With a configuration that have 2 Interface lets call it OPT3 and OPT4 in bridge mode I cant get any rule from the firewall working if I don’t want to just have Any Any.

So after struggling with this I decided to configurate everything exactly like my Monowall setup and Whohoo now it start working as It should… But now im back to my original problem with IPSec tunnel.

So now after this big headache im starting to get pissed off, so I take my spare firewall with monowall (well its upgraded to smallwall) and without any configuration just like that I have in the datacenter so every ip everything is totally different in that one, but I shouldn’t matter because if it is a bridge then It should act as a bridge… So 2 minutes later I have plugged in that firewall between Internet (wan) and (opt1) my firewall everything is working like a charm… 
I can see that all traffic is blocking so nothing shows up on the log on my normal firewall. I can surf to whatever and the IPSEC tunnel is working without problem.

So now im back to square one. I can say that I relay like a lot of the new functions in OPNsense and I really want it to work as I expect. How can I go forward with this problems? To me this seems like a Bugg somewhere so even if I pay for support will I have a working solution like my monowall?

I cant get my head around this its totally confusing with OPNsense manual about bridge that I will change net.link.bridge.pfil_bridge  (1) so I have only one Interface to set my rules. So if I want a Any rule out from LAN interface so the return traffic isn’t blocked and I want to block everything coming in to WAN side that is initiated from WAN. How should that Rule (Rules) be when I only can set this on OPT1?
Its much more logic to have net.link.bridge.pfil_member (1)


Title: Re: Broken Bridge/Transparent firewall functions?
Post by: king-dude on November 16, 2016, 09:52:23 pm
I can now confirm that this behavior is the same on Latest build on PFsense.
ICMP working
Port 80 working
SSL 443 or ports like 8080 9001 or whatever (haven’t test all the ports) is NOT working
I can confirm that this behavior is NOT on a PPTP tunnel everything is working

My IPsec tunnel is basic this is from a PFsense firewall.
Phase 1
Ike:       V1    
Mode:      aggressive
P1 Protocol:      Blowfish (128 bits)
P1 Transforms      MD5
DH Group:      1 (768 bit)   

Phase 2
P2 Protocol      ESP
P2 Transforms      Blowfish (128 bits)
P2 Auth Methods   MD5

I have no idé how to analyze the missing traffic so all help is welcome.

This must be a major bugg either in FreeBSD higher than 8 or something else that have changes.

If you put something that is stelth between networks and traffic is vanish (This time in a IPSEC tunnel) or not getting through who knows what other typ of traffic you later on can spend days to understand why things aint working.


Title: Re: Broken Bridge/Transparent firewall functions?
Post by: king-dude on November 18, 2016, 04:41:31 pm

I have now solved it (Both on PFsense and OPNsense), will do a write up about my configuration later. Now i have to test it and celebrate with a whiskey and beer)

Title: Re: Broken Bridge/Transparent firewall functions?
Post by: king-dude on November 18, 2016, 06:06:44 pm
How to OPNsense. Bridge.

The Goal is to have a filtering bridge in stelth mode and with a working IPSec tunnel trough OPNsense .

So setup is like this.
Another LAN with a Firwall with IPSEC -> Internet -> WAN OPNsense -> OPT1 OPNsense -> Another Firewall that do IPSEC tunnel to the first firwall.
OR this
Internet public ip net and you can not route this network -> WAN OPNsense -> OPT1 OPNsense -> Public servers in datacenter
So if i want to have a pass rule for ports to servers on OPT1 i set this firwall rules on WAN interface

LAN in this case can be manage network or even a regular Nat network that you can surf from and so on.

After this setup i can turn on Intrusion Detection/prevention and Reporting etc   
Of course you can have better OPT1 rule than Any but its upp to you and i will not go in to it.
OBS! you set your firewall rules on interfaces later not as the normal Bridge manual in OPNsense.

First insall OPNsense

Set your Normal interface LAN, WAN and OPT1

DO not use DHCP on LAN if you only want this as a manage interface. (Its okej to also have this as a normal primary NAT router)

So after install login to GUI (Run the wizard as a normal Nat setup)
Go to Interfaces OPT1 Check enable (Do not have any IP on that interface) (None)

Go to Interface Settings Check on Suppress ARP messages and everything els should be check to on that page.

Go to Interfaces /other types /bridge. Add and then select WAN and OPT1.

Go to System/Settings/tunables

net.link.bridge.pfil_member  set 1
net.link.bridge.pfil_onlyip  set 1
net.link.bridge.pfil_bridge  set 0

Then also add a new tunable

net.link.bridge.pfil_local_phys  set 1

(I would realy want sombody tell me about this last one pros and cons)

Go to Firewall /settings / normalization

Disable interface scrub   check

Go to Firewall / Rules

Wan side should have 2 rules as default (if you just did a normal installation) Block private networks and block bogon networks.
And it will also block per default everything else

Lan side here you can add a any rule it depens what you want it to do.

OPT1 Here you can have a any rule for start it depends what you want to do but the machines on this side is protected from the outside but can freely surf or whatever if you have the any rule.

Then go to Floating rules. (Do not use Quik)(I havent test this so much maybe you can set this rules on Wan interface insteed)
Add a rule that pass interface WAN direction IN ,  Protocol ESP from source (ip nummer on your other IPSec firewall)
Add a rule that pass interface WAN direction IN ,  Protocol UDP port 500 from source (ip nummer on your other IPSec firewall)

Anyone that think something diffrent are totaly welcome to say what i should change in this setup and also why.
I hope everything is in there. Had my first whiskey.   8)