Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Pecadis

Pages1
#1
20.7 Legacy Series / Re: Nat Reflection issue with DMZ inbetween
September 08, 2020, 03:31:47 AM
In case someone is getting the same issue. The solution was to rtfm.

In short the Note on https://wiki.opnsense.org/manual/nat.html regarding NAT Reflection was the clue which was missing.

QuoteThe NAT rules generated with enabling NAT reflection only include networks directly connected to your Firewall. This means if you have a private network separated from your LAN you need to add this with a manual outbound NAT rule.

I am wondering why it was working fine before, but anyway, after adding the Outbound NAT-Rule, everything worked fine again. The Rule was set to the DMZ Interface and the Internet address
#2
20.7 Legacy Series / Re: Nat Reflection issue with DMZ inbetween
September 07, 2020, 07:53:38 PM
So from what i can see it seems to be a combination of a routing and reflection.

1. if i turn off the reflection, i will get the internal Opnsense Webinterface from the internal network.
2. If the Reflection is turned ON, nothing really happens except a timeout.

I am unfortunatly not that fluent with wireshark but it looks like the traffic is being redirected the wrong way.

192.168.123.8 is my internal server
172.16.2.10 is my dns server
172.16.0.1 is a floating IP, directing to my Loadbalancer
172.16.0.6 is actually my loadbalancer

The DNS resolution works fine (in blue) but it goes down from there.

No.   Time   Source   Destination   Protocol   Length   Info
167   1.342302   192.168.123.8   172.16.2.10   DNS   70   Standard query 0x93fa A example.com
168   1.342324   192.168.123.8   172.16.2.10   DNS   70   Standard query 0x2c56 AAAA example.com
169   1.344532   172.16.2.10   192.168.123.8   DNS   86   Standard query response 0x93fa A example.com A external.ip
170   1.347313   172.16.2.10   192.168.123.8   DNS   135   Standard query response 0x2c56 AAAA example.com SOA ns1.core-networks.de
171   1.347869   192.168.123.8   external.ip   TCP   74   54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410584100 TSecr=0 WS=128
172   1.348437   172.16.0.1   192.168.123.8   TCP   74   80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548122877 TSecr=2410584100 WS=128
177   1.699807   172.16.0.6   192.168.123.8   TCP   74   57688 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=139042813 TSecr=0 WS=128
178   1.700173   192.168.123.8   172.16.0.6   TCP   74   443 → 57688 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210445962 TSecr=139035692 WS=128
179   1.757788   192.168.123.8   172.16.0.6   TCP   74   443 → 57640 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3210446019 TSecr=139019221 WS=128
203   2.365703   192.168.123.8   external.ip   TCP   74   [TCP Retransmission] 54302 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2410585118 TSecr=0 WS=128
204   2.366227   172.16.0.1   192.168.123.8   TCP   74   [TCP Retransmission] 80 → 54302 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3548123895 TSecr=2410584100 WS=128

Help would be much appreciated ._.
#3
20.7 Legacy Series / [SOLVED] Nat Reflection issue with DMZ inbetween
September 07, 2020, 01:32:11 AM
Hi everyone,

i have to admit, i did the worst thing someone can do. I Upgraded to the latest version. Jokes aside i am messing around the configs since about 10 hours and i am getting really frustrated about this issue.

In short my setup all of my firewalls are opnSense firewalls and this config was working with version 20.1.9

Internet -> FW01 -> DMZ (172.16.0.0/16) -> Fw02 -> Internal network (192.168.123.0/24)

FW01 is natting to the internet and has several rules in regards to Port forwarding in place
The DMZ has several Services running (more on this later)
The FW02 is simply routing the traffic (no natting/double-nat)

If i am trying to reach example.com from the Internet, everything works as expected
If i do the same from the DMZ, it still works (reflection seems to work)
But if i am in the Internal Network, it fails with the message "connection timeout".
Internet access in general (from internal through dmz directly into internet) works fine.

Now, if i do a traceroute from the Internal network to example.com, i can see the following
1. fw02
2. example.com (or the external ip of my FW01)

If i do the same from the DMZ, i only see the external ip of my FW01 (or the domain name if i resolve it).

Does anyone have an idea how i can solve this issue?

Thanks a lot.
Pecadis
#4
General Discussion / Re: Enable (not start) a Plugin from Shell/Commandline
May 17, 2019, 01:52:04 PM
Hi Franco,

thanks for your offer, but i think that is easy to handle, basically just some File manipulation. A dedicated tool for that would be much more convenient. Wouldn't that be a nice feature? ;) maybe called "opnsense-plugin enable xxx"
#5
General Discussion / Re: Enable (not start) a Plugin from Shell/Commandline
May 16, 2019, 07:53:38 PM
Hi Franco,

thank you for your feedback. That's at least a point i can work with =).

BR
Pecadis
#6
General Discussion / Enable (not start) a Plugin from Shell/Commandline
May 16, 2019, 01:31:13 PM
Hi everyone,

i'm not sure if that's the right place but i am currently struggling to find any sources which can explain how i can enable a plugin rather than just restart it with the configctl tool.

I would appreciate any input on that.

Thanks
Pages1