OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Webxorcist on September 18, 2017, 03:02:09 pm

Title: FW rule not working with Single host or network
Post by: Webxorcist on September 18, 2017, 03:02:09 pm

Hi,

I am fairly new to OPNsense, perhaps I missed other settings.

With HAProxy I made a Frontend that listens to a certain domain. I also made a Back-end with, atm, one web server in it. The idea is to add more web servers when needed.

Then I made a firewall rule in the External_Network. The rule simply says to accept port 80 traffic from any external source going to port 80 on any internal source.

Now when I punch in the domain in my web browser it shows me the website on the internal web server.

Now I want to tighten the rule, so I change it from any external source to a internal single host or network and I enter the IP address of the web server.

Somehow, the rule doesn't work any more now.

I am not sure what extra information to include in this post. What am I missing here?

Title: Re: FW rule not working with Single host or network
Post by: ChrisH on September 18, 2017, 03:11:14 pm

If you use HAProxy, the connection from the external ends on the OPNsense box, not the web server. You have to allow traffic to port 80 on the IP that you configured in the HAProxy frontend.

Title: Re: FW rule not working with Single host or network
Post by: Webxorcist on September 18, 2017, 03:18:22 pm

That is what I explained. But if the destination is ANY it works and when the destination is the web server IP it stops working.

Title: Re: FW rule not working with Single host or network
Post by: ChrisH on September 18, 2017, 03:20:36 pm

Because the destination is not the webserver, but the OPNsense box.

Maybe this picture helps:
https://en.wikipedia.org/wiki/Reverse_proxy
(https://upload.wikimedia.org/wikipedia/commons/thumb/6/67/Reverse_proxy_h2g2bob.svg/280px-Reverse_proxy_h2g2bob.svg.png)

Title: Re: FW rule not working with Single host or network
Post by: Webxorcist on September 18, 2017, 03:30:51 pm

Hmm Ok

In the rule I make, I am allowing traffic on port 80 on the external interface. That is the same one in the frontend.

Why is it working when the rule is allowing ANY destination on the internal network and it stops working when I change it to a single host on the destination network? Working as is, showing the webpage on the web server.

Title: Re: FW rule not working with Single host or network
Post by: ChrisH on September 18, 2017, 03:31:29 pm

What does the firewall log say?

Title: Re: FW rule not working with Single host or network
Post by: Webxorcist on September 18, 2017, 03:50:00 pm

Basically, when destination is ANY the dynamic logs show the source IP (OPNsense Internal address) and the web servers (also internal) address and the action was allow.

When the destination is the web hosts IP the dynamic log shows the source IP (my workstation with the browser) and the external OPNsense IP and the action was block.

Title: Re: FW rule not working with Single host or network
Post by: ChrisH on September 18, 2017, 03:52:07 pm

So add another rule to allow the connection it blocks now.

Title: Re: FW rule not working with Single host or network
Post by: Webxorcist on September 18, 2017, 04:00:44 pm

Ok thanks. Now it works.

I was thinking incorrectly. I thought you would open it for only a specific internal host.
So now I opened the port on the external address of the OPNsense box.

So basically it now sends port 80 traffic to all servers in the HAProxy's Backend list?