OPNsense Forum

English Forums => General Discussion => Topic started by: rungekutta on April 14, 2018, 06:37:04 pm

Title: Access from LAN to DMZ
Post by: rungekutta on April 14, 2018, 06:37:04 pm

Hi! I've got a weird problem and can't figure out what I'm doing wrong.

Setup:
LAN: 192.168.200.1/24
DMZ: 192.168.1.1/24

When I'm done I'm going to let LAN access DMZ but not the other way around. For now I've left the default LAN "pass everything" and added the equivalent for DMZ (interface DMZ, source DMZ net, dest any, action Pass).

However when I access DMZ from LAN I get dropouts and timeouts (e.g. when setting up NFS connection). Debugging this, accessing a web management GUI in the DMZ from my laptop on the LAN, some packets are let through on the basis of the default LAN rule but then some dropped on the default deny, and I can't see the reason for this at all.

See attached opn1.jpg screenshot from the Live View firewall log and opn2.jpg from the drill down of one of the blocked connections - how can that not be caught by the same default pass rule?

Also, I don't understand why "default allow LAN to any" comes in pairs with DMZ "let anything out from firewall itself".

Totally stumped on this so would appreciate pointers!

Title: Re: Access from LAN to DMZ
Post by: rungekutta on April 17, 2018, 09:28:18 pm

Ok so... I've continue to look at this and haven't found the answer but have narrowed it down.

First of all the rejects from the logs appear to be a red herring and basically this: https://forum.pfsense.org/index.php?topic=39960.0 (https://forum.pfsense.org/index.php?topic=39960.0).

I've further noticed that it's only one particular host which is problematic namely my FreeNAS server. Troubleshooting with iperf3, I can iperf from a MacBook Pro and from Windows 10 to other hosts (Linux VMs) on the same subnet and across subnets (via opnsense) in all cases consistently at around 940MBit/s, so as expected.

The FreeNAS server has two physical NICs, currently one on LAN and one on DMZ. When I iperf3 to the same subnet I get the same consistent 940MBit. However when I cross subnets - from LAN to DMZ or the other way around (for testing) I get something like this:

Code: [Select]

foo$ ./iperf3 -c 192.168.200.10
Connecting to host 192.168.200.10, port 5201
[  4] local 192.168.1.174 port 49559 connected to 192.168.200.10 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.01   sec   210 KBytes  1.71 Mbits/sec                 
[  4]   1.01-2.01   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   2.01-3.01   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   3.01-4.00   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   4.00-5.01   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   5.01-6.00   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   6.00-7.01   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   7.01-8.00   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   8.00-9.01   sec  0.00 Bytes  0.00 bits/sec                 
[  4]   9.01-10.00  sec  0.00 Bytes  0.00 bits/sec                 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   210 KBytes   172 Kbits/sec                  sender
[  4]   0.00-10.00  sec  65.0 KBytes  53.3 Kbits/sec                  receiver
Not good! Something along the way, or the FreeNAS server itself, is throwing away packages. There is nothing in particular that I can see in the opnsense nor in the FreeNAS logs, and I don't really know how to troubleshoot this.

FreeNAS runs on FreeBSD 11.1.

Help...?!