Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - smpoole7

Pages1
#1
19.1 Legacy Series / Re: Routing to the WAN-subnet
July 17, 2019, 09:47:32 PM
I'm posting this here in case anyone else should come across this. Our Webserver originally faced the Internet directly on the 173.x.x.33 address. The default gateway was set to .38 (of course). Mask was /29.

To speed up the move, we set up the OPNsense firewall, ready to go. On the Webserver, we tasked one of the other network interfaces to the 192.168.x.x network, to work on OPN's LAN side. We unplugged the old cable and slipped the OPNsense box in line. So far, so good ...

We of course set up the new default gateway in the Webserver to point to the OPNsense box. What we forgot to do was to take down (deactivate) the old NIC that had the 173.x.x.x config. So ... from inside the office, on a 173.x.x.x network, OPNsense was working fine. The WEBSERVER was then sending its replies through what it thought was the correct (old) interface.

Kill the interface on the WEB server took care of the problem. *Whimper.*

(This is one of those things that makes you slap yourself once you find it.)

The moral of this story: stating the obvious, but routing is routing. Always check everything before assuming that your new shiny firewall might be the problem ...
#2
19.1 Legacy Series / Re: Routing to the WAN-subnet
July 17, 2019, 12:06:16 AM
I'm having a similar problem and I'm similarly stumped. No virtual IPs in our case, but on the WAN side, we have a typical "block of 8" assigned by our ISP:

Usable 173.x.x.33 through .37, .38 is the WAN gateway.
.33 is our Web server external address - OPNsense lives here
.34 is for our FTP server (on a completely different firewall -- ClearOS)
.35 is for office Internet access (ClearOS)
.36 is for internal business (ClearOS)
.37 is reserved

On the LAN side, we have a standard 192.168.x.x subnet, port forwarding to a single host (a Web server).

From any WAN IP address *except* for one of the above, we can get into the Web server. From my house, from my phone, people in Chicago, people in NY. Everyone can get in. (This server is on Comcast in Denver.)

From inside the office in Denver, we cannot get onto the Web server. Anyone inside the office will be assigned via DHCP an IP in a 10.x.x.x subnet, using .35 as their external (WAN) address. If they try to go to our Website there in the office, either by host name or directly via IP address, it times out. Web or SSH, neither one works. The firewall is obviously blocking 173.x.x.35.

Any ideas? We've pored over the configuration a half dozen times and don't see anything obvious.
Pages1