Messages

My OpnSense is configured to use an outgoing web proxy on the default gateway of the WAN interface.
That works fine.

Now the servers behind the OpnSense (different LANs) should also use this proxy, and I configured incoming and outgoing firewall rules to allow that.

The connections from the LAN clients behind the OpnSense to the proxy time out.
On the OpnSense every single firewall rule (also the auto created ones) is configured to log, and the Live View shows show the connection as passed on both interfaces (LAN and WAN). No block/drop logged there, no matter how I filter.
The packet capture shows the request to the proxy incoming on the LAN interface and outgoing on the WAN interface and the proxy's answer incoming on the WAN interface, but not anywhere else.

It looks as if the proxy's answer simply disappears between WAN interface and LAN interface without the firewall intercepting - but if I disable the firewall (pfctl -d in terminal), the proxy traffic works successful.

How can I find out why that happens?

Thanks for any hint or help.

I gave up on this. OpenBSD does the job von CentOS7&KVM pretty straightforward, so I give up on deploying OpnSense for this use case.
OpnSense is working really good in a VM on VMware (Fusion in my case) but version 19.1 is not usable on KVM on CentOS 7, as far as I can tell.

This is rightout weird.

I have tried several setups (with public WAN IP, private WAN IP, whatever).

The symptom is always the same:

1. Every requests going outside via the WAN interface is blocked (permission denied, errno=13), even if the firewall is disabled completely (pfctl -d).
2a. I can add a floating rule for the connection to an external DNS server. As long as I explicitly define the DNS server as destination, DNS requests to the outside are working and can bee seen on the KVM servers bridge connected to the WAN interface.
2b. The floating rule does not work if destination is "any" - not even for DNS-Requests.
3. Whatever additional floating rules for destinations outside WAN interface I add to allow traffic - nothing works, noting reaches the KVM server's bridge.
4. The default behaviour "outgoing traffic via WAN interface accepted" does not work.

Anyone any idea out there?

I have a new install of OpnSense 19.1.4 installed in a VM on KVM with lots of subnets behind it and WAN interface attached to a bridge where I can use iptables / ebtables, to log passing network packets.

Routing and similar stuff works fine, but local requests originating from the OpnSense are not leaving the OpnSense.

Example for unbound in forwrding mode reqesting the upstream server:
unbound: [25365:0] notice: sendto failed: Permission denied

Using telnet or openssl in the shell of the OpnSense leads to the same error.

I can see that
- these packages are logged in the firewall logs as leaving through the WAN interface
- these packages never show up on the bridge of the KVM server
- requests to the same targets from behind the OpnSense (from "inside") are routed to these target IPs perfectly and can be seen on ebtables / iptables as passing.

Funny thing is that Intrusion Detection is disabled, but these "permission denied" messages seem to always come from there if you google them.

Any hint or help would be appreciated.

Dirk

Hi all,

I have successfully setup and configured tinc via command line - now I would like to add firewall rules but see no way to add tinc's tun0 interface to the GUI.

Is there a way to trick tun0 into the GUI or do I have to add tinc related firewall rules via the command line?

Any hint or help is appreciated.

Cheers,

Dirk