OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of kurtbuff »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - kurtbuff

Pages: [1]
1
General Discussion / Re: Configuring outbound access for multiple subnets on a layer 3 switch
« on: May 20, 2019, 04:39:19 pm »
The Ubiquiti switch is the gateway to the 172.31.120.0/24 subnet.

The only rules for 172.31.255.0/24 are the automatically generated ones. I haven't configured any rules for that subnet.

I do see denies for the pings from 172.31.120.0/25 in the live firewall log, though interestingly I don't see allow entries in the live log for pings from that subnet to the firewall. Kinda weird.

I can ping from the firewall across the Ubiquiti to the host in 172.31.120.0, and vice versa. I'm uploading screenshots of the web interface to provide more precise information.

Kurt

2
General Discussion / Re: Configuring outbound access for multiple subnets on a layer 3 switch
« on: May 20, 2019, 06:22:17 am »
I've added a LAN rule that allows icmp to the firewall from 172.31.120.0/24, and that works. I can ping from that subnet to the firewall (at 172.31.255.1), and get echo responses.

I've configured the firewall for "Hybrid outbound NAT rule generation", and hosts on the 172.31.255.0/24 subnet can get out just fine.

I then added a manual rule to the outbound NAT set for 172.31.120.0/24, and that wasn't sufficient to allow traffic from a host on 172.31.120.0/24 out to the Internet.

I also added a LAN rule for ICMP from 172.31.120.0/24 to the "WAN net" destination, and still can't ping 8.8.8.8 from a host on that subnet.

I then deleted those rules, and tried a floating rule, where I selected the LAN and WAN interfaces, the direction of out, protocol icmp with type of echo request, the source of 172.31.120.0/24, and the destination of "WAN net", and then "any". Still no joy.

I'm baffled.

3
General Discussion / Configuring outbound access for multiple subnets on a layer 3 switch
« on: May 16, 2019, 05:21:54 am »
All,

I've got Opnsense up and running, and behind it I have a Ubiquiti layer 3 switch.

I struggled for a while, but finally figured out that I needed to add a rule on the firewall to allow a subnet access to the firewall.

So far, I have this:

Internet <> OpnSense <172.31.255.0/24 > Ubiquiti <172.31.120.0/24

Hosts on the 120.0 subnet can get to, but not beyond, the firewall. By this I mean that from a host on the 120.0 subnet, I can ping and log to the opnsense box via ssh/https, but I can't ping e.g. 8.8.8.8, nor get DNS requests from 8.8.8.8. I see lots of denies from the default deny rule for these hosts.

Requests for configs happily provided, I've got the config xml file available for perusal.

Thanks,

Kurt

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2