1
General Discussion / Inconsistent rule behaviour?
« on: November 14, 2018, 11:16:56 pm »
Hi, I hope somebody can help:
I have (at the moment) a very simple setup.
My ISP's router has static 192.168.0.1, no DHCP enabled
OPNsense WAN interface has static 192.168.0.2 - it has DHCP enabled, is giving out its own address as the default gateway, and I have configured the IPv4 upstream gateway as 192.168.0.1
I'll ultimately have various private networks behind OPNsense, but none of these exist yet.
So a client machine gets it's IP address from OPNsense DHCP, and if it wants to talk to a private network OPNsense will deal with that directly. If that client wants to talk out to the internet, OPNsense will pass the traffic on to the ISP router.
The WAN rules contain only the following:
Deny * Reserved/not assigned by IANA * * * * Block BOGON networks
Allow IPv4 * Wan net * * * * WAN internet traffic to ISP router
The routing seems to be working because if I do a tracert from a client machine I can see the traffic going first to 192.168.0.2, then to 192.168.0.1 and then out to the ISP network.
However in the logs I'm seeing packets from a host on the WAN sometimes being allowed by my allow rule, and other times being blocked by the default deny rule. I'm not sure why it's not being consistent! Same source IP, same dest IP, same ports. Sometimes it's allowed, other times not.
Example dest IP address: 40.67.251.132 dest port 443 (Microsoft).
Any suggestions? I am new to OPNsense so perhaps I'm missing something obvious?
Thanks!
I have (at the moment) a very simple setup.
My ISP's router has static 192.168.0.1, no DHCP enabled
OPNsense WAN interface has static 192.168.0.2 - it has DHCP enabled, is giving out its own address as the default gateway, and I have configured the IPv4 upstream gateway as 192.168.0.1
I'll ultimately have various private networks behind OPNsense, but none of these exist yet.
So a client machine gets it's IP address from OPNsense DHCP, and if it wants to talk to a private network OPNsense will deal with that directly. If that client wants to talk out to the internet, OPNsense will pass the traffic on to the ISP router.
The WAN rules contain only the following:
Deny * Reserved/not assigned by IANA * * * * Block BOGON networks
Allow IPv4 * Wan net * * * * WAN internet traffic to ISP router
The routing seems to be working because if I do a tracert from a client machine I can see the traffic going first to 192.168.0.2, then to 192.168.0.1 and then out to the ISP network.
However in the logs I'm seeing packets from a host on the WAN sometimes being allowed by my allow rule, and other times being blocked by the default deny rule. I'm not sure why it's not being consistent! Same source IP, same dest IP, same ports. Sometimes it's allowed, other times not.
Example dest IP address: 40.67.251.132 dest port 443 (Microsoft).
Any suggestions? I am new to OPNsense so perhaps I'm missing something obvious?
Thanks!