OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: JohnnyBeee on June 13, 2018, 11:03:23 pm
-
Hello.
I have a pretty basic OPNsense configuration (see attached pic).
My problem is that one type of outgoing connections from a PC on the LAN (to a socks proxy mainly, only used on that PC) appear in the log as from the firewall itself (with source IP 192.168.3.101). The label for these log entries is "let out anything from firewall host itself".
I cannot find a firewall rule with that description.
So I have 2 questions:
1) Why would these connection wrongly appear to come from the firewall?
2) Where is that rule "let out anything from firewall host itself" (and how can I avoid it clogging up my log)?
Thanks for any help.
-
How strange that this question has inspired NOBODY...
-
Is it that I am the only one experiencing this?
Or is everybody seeing this but nobody cares?
-
"let out anything from firewall host itself" is an internal rule that indeed allows traffic of local services (e.g. DNS, VPN, firmware updates) to connect to the internet. It's not falsely matching LAN traffic. But that may look like LAN traffic if you use a web proxy. :)
Cheers,
Franco
-
"let out anything from firewall host itself" is an internal rule that indeed allows traffic of local services (e.g. DNS, VPN, firmware updates) to connect to the internet. It's not falsely matching LAN traffic. But that may look like LAN traffic if you use a web proxy. :)
Cheers,
Franco
Thanks for your reply.
Unfortunately this still remains unclear to me.
So this internal rule ("let out anything from firewall host itself") allows local services to connect to the internet.
Great. But the connections listed are not those of local services. Those are clearly connections from the LAN. I am not sure if I used the web proxy on OPNsense at the time, but even if I did, the only communications forwarded to the web proxy would have been HTTP connections on port 80, not connections to socks proxies on wholly different ports.
How could these connections show as emanating from the WAN interface?
-
Can you share the relevant logs to complement your question?
-
Can you share the relevant logs to complement your question?
Unfortunately some time has passed since my ticket submission and I had to reinstall the firewall.
Today I no longer get those message.
I was trying to understand what could have gotten wrong / I could have misconfigured in the past.
Thanks for your help.
-
I was a bit hasty with my last reply.
While I don't see messages in the firewall log, I do get related messages in Suricata:
2018-08-16T14:27:44.195066+0200 allowed wan 192.168.3.101 6256 85.159.237.208 1090 SURICATA STREAM TIMEWAIT ACK with wrong seq
2018-08-16T14:26:52.854997+0200 allowed wan 192.168.3.101 58169 85.159.237.208 1090 SURICATA STREAM CLOSEWAIT FIN out of window
2018-08-16T14:25:14.962624+0200 allowed wan 192.168.3.101 54187 85.159.237.208 1090 SURICATA STREAM excessive retransmissions
2018-08-16T14:25:14.720111+0200 allowed wan 192.168.3.101 17059 85.159.237.208 1090 SURICATA STREAM CLOSEWAIT FIN out of window
All these connection come from a computer on the LAN - NOT the OPNsense box.
Why do I not see the IP of the machine on the LAN?
:o
-
According to the log you've set Suricata to listen on WAN and it shows the IP after outbound NAT translation on the physical interface. :)
-
Thank you.
That makes sense.
But how can I get the real originating IP in the log?
I tried to set Suricata to listen on WAN and LAN but strangely enough this somehow blocked all outgoing connections to WAN...
And if possible, I would also like to avoid double entries (1 for LAN a 1for WAN).
Having Suricata listen on the LAN interface/filter LAN connections just for that seems overkill too.
Is there a solution?
-
There is a solution but you are not going to like it. :)
Basically what you want is a dedicated transparent appliances bridging "WAN" and "LAN" without NAT and listening with Suricata on it which you put between your LAN and the current OPNsense box doing NAT so you have a clear view on your LAN and no NAT involved.
But this kind of mimics running Suricata on LAN on your present box which means traffic blocked means Suricata is not properly tweaked for the network at hand just yet.
Cheers,
Franco