1
General Discussion / LAN traffic being blocked so ESXI guests by Default Deny Rule (8)
« on: January 15, 2019, 06:13:25 am »
Hey there,
So I'd recently setup opnsense on a shuttlepc to work behind my ISP modem. From this I have the small network of devices on the ISP switch, and behind the opnsense firewall are my workstations, ESX host, APs, etc. Once I migrated the ESX host and guests to behind the firewall, I lost the ability to locally access the VMs and their services. They however are correctly passing through from firewall to ISP firewall and out as expected, but all LAN to LAN traffic from guests to workstations are blocked by Default Deny Rule.
I've attempted to go so far as create a very friendly * rule for even 1 set of ports, but no matter what, I could not get passed that rule. I cannot ping to and from a workstation and guest. I can ping between guests, which share the same VLAN and subnet as the workstations. I can ping between workstations. I can work through ESX web console to control servers, and one of my guests lives on a storage device currently on a different subnet without issues (haven't migrated over due to above issues once discovered).
I just cannot for the life of me figure out why LAN to ESX guests and back is being blocked.
Rough configuration:
Interface0 - Connects to ISP Modem
ISP Address of OPN - 10.1.10.2
Allows for 80, 443, and custom ports to pass directly to OPN from ISP
Interface1 - Connects to Managed Switch
Subnet Gateway - 10.1.54.1
Passes 80, 443, and custom ports to specified servers on ESX
Allow all traffic local to this subnet
Workstation
IP pool - 10.1.54.0/24
Cannot complete a ping to guests, can ping other devices on network just fine
I'd say this was ESX being broken, but the live logs for firewall are spamming the traffic is being denied. I can load the websites and such fine when accessing from the ISP modem subnet. I've tried implementing the rules allowing this traffic on both interface rules and floating rules but to no success.
Am I missing something?
Does this behavior make any sense?
So I'd recently setup opnsense on a shuttlepc to work behind my ISP modem. From this I have the small network of devices on the ISP switch, and behind the opnsense firewall are my workstations, ESX host, APs, etc. Once I migrated the ESX host and guests to behind the firewall, I lost the ability to locally access the VMs and their services. They however are correctly passing through from firewall to ISP firewall and out as expected, but all LAN to LAN traffic from guests to workstations are blocked by Default Deny Rule.
I've attempted to go so far as create a very friendly * rule for even 1 set of ports, but no matter what, I could not get passed that rule. I cannot ping to and from a workstation and guest. I can ping between guests, which share the same VLAN and subnet as the workstations. I can ping between workstations. I can work through ESX web console to control servers, and one of my guests lives on a storage device currently on a different subnet without issues (haven't migrated over due to above issues once discovered).
I just cannot for the life of me figure out why LAN to ESX guests and back is being blocked.
Rough configuration:
Interface0 - Connects to ISP Modem
ISP Address of OPN - 10.1.10.2
Allows for 80, 443, and custom ports to pass directly to OPN from ISP
Interface1 - Connects to Managed Switch
Subnet Gateway - 10.1.54.1
Passes 80, 443, and custom ports to specified servers on ESX
Allow all traffic local to this subnet
Workstation
IP pool - 10.1.54.0/24
Cannot complete a ping to guests, can ping other devices on network just fine
I'd say this was ESX being broken, but the live logs for firewall are spamming the traffic is being denied. I can load the websites and such fine when accessing from the ISP modem subnet. I've tried implementing the rules allowing this traffic on both interface rules and floating rules but to no success.
Am I missing something?
Does this behavior make any sense?