Messages

1

General Discussion / Re: Allow GUI access on WAN when WAN is on the LAN

« on: January 16, 2019, 03:02:58 pm »

I figured it out. Doing a dump with pfctl -sr | grep 8443, I noticed that reply-to was sending the replies to my gateway (192.168.1.1) instead of the machine on the LAN.

I have fixed this by clicking on advanced options, and then checking disable reply-to.

All is well now.

2

General Discussion / Re: How do I detect "bad" packets and prevent them from hitting the WAN?

« on: January 16, 2019, 02:05:37 pm »

Seems like you're going to have a ton of packets to deal with, and tcpdump will very likely fill up your hard drive if you are using smallre equipment.

If that is the case, you can do this:

1. SSH into your box
2. Run this command:

tcpdump -s 0 -U -n -i reX -w - | nc [ip you want to send to] [port number]

This will fire up tcpdump on your specified interface (re0? re1?), and pipe the output to netcat, which will send that data to an ip and port of your choosing.

Let's assume you have a (linux) workstation at 192.168.1.100, you would do:

tcpdump -s 0 -U -n -i re0 -w - | nc 192.168.1.100 8888

No, on that workstation, you need to have netcat start listening to that traffic, and allow it to be read:

First, we have to make a named pipe:

mkfifo /tmp/fwdump

Next, we need to have netcat listen to the traffic and run it to that pipe:

nc -l 8888 /tmp/fwdump

Lastly, start wireshark to listen to that pipe:

wireshark -k -i /tmp/fwdump

Now, you can watch the traffic in real-time on your local workstation, and dump the *giant* file to disk for perusal.

3

General Discussion / Allow GUI access on WAN when WAN is on the LAN

« on: January 16, 2019, 01:56:02 pm »

I am trying to use opnsense to create a lab environment.

The topology is this:

LABLAN (192.168.252.0/22) <--> WANLAN (192.168.1.97) <--> REALWAN (public internet).

So, this is a lab network that is inside our office network, where the lab network's "WAN" address is a private IP address on our LAN.

This works, and the machines on the LABLAN can access the internet (Example path: 192.168.252.100 -> 192.168.252.1 -> 192.168.1.97 -> 192.168.1.1 -> public internet

Here's my problem:
I want to be able to manage the firewall from the office LAN (192.168.1.100), which means I have to access the OpnSense firewall on 192.168.1.97.

To do this, I took the following steps:

• Turned off "block private networks"

Turned off bogon networks (not really related, but I did do this).[/li]
[li]Changed the management port to 8443[/li][/list]
Created a NAT rule to forward TCP with a destination of 8443 on the WAN address to the LAN address for the firewall at the same port
[/list]

This does not work. Firewall logs show that the traffic was allowed (I see a "pass" entry with the source IP of my workstation and a destination IP of the WAN), but I cannot access the gui.

This works with pfSense, tomato firmware, and other firewalls I have used. But, it seems I have missed a step here.

Does anyone know how to make this work?