OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: gothbert on March 04, 2017, 11:08:09 am
-
Hello,
searched the Internet before and found similar issues but the solutions did not apply. So please bear with me for asking here. In spite of having easy and manual firewall rules to make (all) traffic pass between LAN and OPT1, I can only reach port 80 on a host at OPT1 network from my workstation at LAN network. Please see below for details.
What do I need to do to enable full TCP connectivity from LAN network to OPT1 network? Any help would be appreciated.
Kind regards
Boris
OPNsense 17.1.2-amd64
LAN 192.168.31.0/24
opnsense at 192.168.31.1
my workstation at 192.168.31.8
OPT1 192.168.30.0/24
opnsense at 192.168.30.254
a host at 192.168.30.1
my workstation ---------------- opnsense ----------------------- host
192.168.31.8 192.168.31.1 192.168.30.254 192.168.30.1
From opnsense I can ping host at 192.168.30.1 and reach all open TCP ports.
From my workstation at 192.168.31.8 I can connect to port 80 of host 192.168.30.1.
From my workstation at 192.168.31.8 I cannot ping host 192.168.30.1 and not reach any other TCP port than 80.
Firewall: Log Files: Normal View shows that ICMP from 192.168.31.8 to 192.168.30.1 is blocked.
I add easy rule from the view to enable ICMP from 192.168.31.8 to 192.168.30.1.
Still cannot ping.
I add firewall rule for OPT1 to enable all traffic/all protocols between LAN and OPT1 networks.
Still cannot ping. Even not after a reboot.
"Block private/bogon networks" is unchecked for both LAN and OPT1.
The dashboard shows increasing packet count in at OPT1 for the pings but no packet count out.
-
What is the default gateway for the 192.168.30.1 host? If it is not 192.168.30.254, does this host have a static route to the 192.168.31.0/24 network in its routing table?
You don't specify the operating system of the host, but running netstat -rn will give you the routing table in most cases.
Bart...
-
Thank you, Bart, for replying.
The host 192.168.30.1 is actually an AVM Fritz!Box DSL router with its LAN ports configured for subnet 192.168.30.0/24. No chance to log in and run commands. Since the Fritz!Box is connected to the internet via DSL for telephony I wanted to silo it away.
Anyway, TCP packets from my workstation 192.168.31.8 to 192.168.30.1:80 (built-in webserver) pass the opnsense firewall and replies from the webserver are returned to my workstation. I suppose that this is related to the anti-lockout rule.
-
If you cannot set up a (static) route back from your Fritzbox, you will need to perform NAT between the 192.168.31.0/24 network and the 192.168.30.0/24 network on the firewall. This will make all traffic from your workstation appear to come from OPNsense.
In the GUI browse to Firewall -> NAT -> Outbound. What is showing under automatic rules?
For this to work, you need a NAT rule on the OPT1 interface with the source set to 192.168.31.0/24 and the NAT address to the OPT1 address. If it is not there, set the mode to hybrid and add it as a manual rule.
Bart...
-
Well, great, that did the job! Rule was not there, added NAT rule to do NAT from any source (there are more subnets behind the opnsense firewall) to 192.168.30.254 on OPT1 with translation/target OPT1 address.
I learned something new. Thank you very much!
Best regards
Boris