Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Pecadis

Pages: [1]

20.7 Legacy Series / Re: Nat Reflection issue with DMZ inbetween

« on: September 08, 2020, 03:31:47 am »

In case someone is getting the same issue. The solution was to rtfm.

In short the Note on https://wiki.opnsense.org/manual/nat.html regarding NAT Reflection was the clue which was missing.

Quote

The NAT rules generated with enabling NAT reflection only include networks directly connected to your Firewall. This means if you have a private network separated from your LAN you need to add this with a manual outbound NAT rule.

I am wondering why it was working fine before, but anyway, after adding the Outbound NAT-Rule, everything worked fine again. The Rule was set to the DMZ Interface and the Internet address

20.7 Legacy Series / Re: Nat Reflection issue with DMZ inbetween

« on: September 07, 2020, 07:53:38 pm »

So from what i can see it seems to be a combination of a routing and reflection.

1. if i turn off the reflection, i will get the internal Opnsense Webinterface from the internal network.
2. If the Reflection is turned ON, nothing really happens except a timeout.

I am unfortunatly not that fluent with wireshark but it looks like the traffic is being redirected the wrong way.

192.168.123.8 is my internal server
172.16.2.10 is my dns server
172.16.0.1 is a floating IP, directing to my Loadbalancer
172.16.0.6 is actually my loadbalancer

The DNS resolution works fine (in blue) but it goes down from there.

No. Time Source Destination Protocol Length Info
167 1.342302 192.168.123.8 172.16.2.10 DNS 70 Standard query 0x93fa A example.com
168 1.342324 192.168.123.8 172.16.2.10 DNS 70 Standard query 0x2c56 AAAA example.com
169 1.344532 172.16.2.10 192.168.123.8 DNS 86 Standard query response 0x93fa A example.com A external.ip
170 1.347313 172.16.2.10 192.168.123.8 DNS 135 Standard query response 0x2c56 AAAA example.com SOA ns1.core-networks.de
171 1.347869 192.168.123.8 external.ip TCP 74 54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410584100 TSecr=0 WS=128
172 1.348437 172.16.0.1 192.168.123.8 TCP 74 80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548122877 TSecr=2410584100 WS=128
177 1.699807 172.16.0.6 192.168.123.8 TCP 74 57688 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=139042813 TSecr=0 WS=128
178 1.700173 192.168.123.8 172.16.0.6 TCP 74 443 → 57688 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210445962 TSecr=139035692 WS=128
179 1.757788 192.168.123.8 172.16.0.6 TCP 74 443 → 57640 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210446019 TSecr=139019221 WS=128
203 2.365703 192.168.123.8 external.ip TCP 74 [TCP Retransmission] 54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410585118 TSecr=0 WS=128
204 2.366227 172.16.0.1 192.168.123.8 TCP 74 [TCP Retransmission] 80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548123895 TSecr=2410584100 WS=128

Help would be much appreciated ._.

20.7 Legacy Series / [SOLVED] Nat Reflection issue with DMZ inbetween

« on: September 07, 2020, 01:32:11 am »

Hi everyone,

i have to admit, i did the worst thing someone can do. I Upgraded to the latest version. Jokes aside i am messing around the configs since about 10 hours and i am getting really frustrated about this issue.

In short my setup all of my firewalls are opnSense firewalls and this config was working with version 20.1.9

Internet -> FW01 -> DMZ (172.16.0.0/16) -> Fw02 -> Internal network (192.168.123.0/24)

FW01 is natting to the internet and has several rules in regards to Port forwarding in place
The DMZ has several Services running (more on this later)
The FW02 is simply routing the traffic (no natting/double-nat)

If i am trying to reach example.com from the Internet, everything works as expected
If i do the same from the DMZ, it still works (reflection seems to work)
But if i am in the Internal Network, it fails with the message "connection timeout".
Internet access in general (from internal through dmz directly into internet) works fine.

Now, if i do a traceroute from the Internal network to example.com, i can see the following
1. fw02
2. example.com (or the external ip of my FW01)

If i do the same from the DMZ, i only see the external ip of my FW01 (or the domain name if i resolve it).

Does anyone have an idea how i can solve this issue?

Thanks a lot.
Pecadis

General Discussion / Re: Enable (not start) a Plugin from Shell/Commandline

« on: May 17, 2019, 01:52:04 pm »

Hi Franco,

thanks for your offer, but i think that is easy to handle, basically just some File manipulation. A dedicated tool for that would be much more convenient. Wouldn't that be a nice feature?

maybe called "opnsense-plugin enable xxx"

General Discussion / Re: Enable (not start) a Plugin from Shell/Commandline

« on: May 16, 2019, 07:53:38 pm »

Hi Franco,

thank you for your feedback. That's at least a point i can work with =).

BR
Pecadis

General Discussion / Enable (not start) a Plugin from Shell/Commandline

« on: May 16, 2019, 01:31:13 pm »

Hi everyone,

i'm not sure if that's the right place but i am currently struggling to find any sources which can explain how i can enable a plugin rather than just restart it with the configctl tool.

I would appreciate any input on that.

Thanks

Pages: [1]