Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - kurtbuff

Pages1
#1
General Discussion / Re: Configuring outbound access for multiple subnets on a layer 3 switch
May 20, 2019, 04:39:19 PM
The Ubiquiti switch is the gateway to the 172.31.120.0/24 subnet.

The only rules for 172.31.255.0/24 are the automatically generated ones. I haven't configured any rules for that subnet.

I do see denies for the pings from 172.31.120.0/25 in the live firewall log, though interestingly I don't see allow entries in the live log for pings from that subnet to the firewall. Kinda weird.

I can ping from the firewall across the Ubiquiti to the host in 172.31.120.0, and vice versa. I'm uploading screenshots of the web interface to provide more precise information.

Kurt
#2
General Discussion / Re: Configuring outbound access for multiple subnets on a layer 3 switch
May 20, 2019, 06:22:17 AM
I've added a LAN rule that allows icmp to the firewall from 172.31.120.0/24, and that works. I can ping from that subnet to the firewall (at 172.31.255.1), and get echo responses.

I've configured the firewall for "Hybrid outbound NAT rule generation", and hosts on the 172.31.255.0/24 subnet can get out just fine.

I then added a manual rule to the outbound NAT set for 172.31.120.0/24, and that wasn't sufficient to allow traffic from a host on 172.31.120.0/24 out to the Internet.

I also added a LAN rule for ICMP from 172.31.120.0/24 to the "WAN net" destination, and still can't ping 8.8.8.8 from a host on that subnet.

I then deleted those rules, and tried a floating rule, where I selected the LAN and WAN interfaces, the direction of out, protocol icmp with type of echo request, the source of 172.31.120.0/24, and the destination of "WAN net", and then "any". Still no joy.

I'm baffled.
#3
General Discussion / Configuring outbound access for multiple subnets on a layer 3 switch
May 16, 2019, 05:21:54 AM
All,

I've got Opnsense up and running, and behind it I have a Ubiquiti layer 3 switch.

I struggled for a while, but finally figured out that I needed to add a rule on the firewall to allow a subnet access to the firewall.

So far, I have this:

Internet <> OpnSense <172.31.255.0/24 > Ubiquiti <172.31.120.0/24

Hosts on the 120.0 subnet can get to, but not beyond, the firewall. By this I mean that from a host on the 120.0 subnet, I can ping and log to the opnsense box via ssh/https, but I can't ping e.g. 8.8.8.8, nor get DNS requests from 8.8.8.8. I see lots of denies from the default deny rule for these hosts.

Requests for configs happily provided, I've got the config xml file available for perusal.

Thanks,

Kurt
Pages1