"
Thank you for taking the time to answer, and clearing this up for me. I am also getting an IPV6 address, so will look into this.
Many thanks
Many thanks
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
General Discussion / Re: Firewall WAN IP is seen differently externally?
April 01, 2024, 12:34:26 AM #2
General Discussion / Firewall WAN IP is seen differently externally?
March 31, 2024, 11:54:07 PM
Apologies in advance if this turns out to an obvious one, but currently baffling me.
The WAN interface on my firewall shows as 100.73.x.x, and when I look at the logs this is what also shows as itself. When I take PCAPs, this is also the same.
My Dynamic DNS though is reporting it as a completely different address 188.74.x.x. I may have thought this is an error, but I have a wireguard site to site VPN with another opnsense firewall, and it sees this end as 188.74.x.x as well?
I am trying to diagnose an issue where traffic doesn't seem to be reaching this firewall i.e. when looking as logs, pcaps and SSH'ing or HTTP'ing to 100.73.x.x its not showing up. I am currently working abroad and trying to get my wireguard VPN working, and for all testing I am doing it just doesn't look like its reaching the firewall.
It used to work, and have recently changed my ISP, so might be related? Just can't make sense why the firewall thinks its one IP address but other devices see it as something completely different?
In either case, using either IP, I can never seem to see traffic hitting the firewall I generate either in logs or PCAPs?
To me this seems illogical or not making sense, but hoping someone has an answer or something for me to try?
The WAN interface on my firewall shows as 100.73.x.x, and when I look at the logs this is what also shows as itself. When I take PCAPs, this is also the same.
My Dynamic DNS though is reporting it as a completely different address 188.74.x.x. I may have thought this is an error, but I have a wireguard site to site VPN with another opnsense firewall, and it sees this end as 188.74.x.x as well?
I am trying to diagnose an issue where traffic doesn't seem to be reaching this firewall i.e. when looking as logs, pcaps and SSH'ing or HTTP'ing to 100.73.x.x its not showing up. I am currently working abroad and trying to get my wireguard VPN working, and for all testing I am doing it just doesn't look like its reaching the firewall.
It used to work, and have recently changed my ISP, so might be related? Just can't make sense why the firewall thinks its one IP address but other devices see it as something completely different?
In either case, using either IP, I can never seem to see traffic hitting the firewall I generate either in logs or PCAPs?
To me this seems illogical or not making sense, but hoping someone has an answer or something for me to try?
#3
General Discussion / Logs and PCAPs missing data until clearing Diagnostics, States, Actions
March 31, 2024, 11:20:32 PM
Not sure if this is normal, or an issue.
I am currently trying to diagnose an issue reaching the firewall. When looking at the firewall logs all I see are entries for traffic that the firewall is sending and receiving itself. The logging is enabled to " Log packets matched from the default block rules put in the ruleset".
I found the only way to see all the traffic, including Deny, is go to Firewall -> Diagnostics -> States -> Actions and Reset State Table and Reset Source Tracking.
This only works for a very short time, the reverts back to how it was.
The same goes for doing a PCAP on the WAN interface. Until I reset both these states I only see what I see in the logs i.e. just traffic that the firewall processes, not all traffic.
I can see why this might be, since the junk traffic might be overwhelming? What I am not sure is if this it normal, or if I can turn it off so I might accurately debug, see all traffic in logs and PCAP's without having to keep resetting all the time?
I am on version OPNsense 23.10.3-amd64, on official OPNSense hardware.
Many thanks in advance.
I am currently trying to diagnose an issue reaching the firewall. When looking at the firewall logs all I see are entries for traffic that the firewall is sending and receiving itself. The logging is enabled to " Log packets matched from the default block rules put in the ruleset".
I found the only way to see all the traffic, including Deny, is go to Firewall -> Diagnostics -> States -> Actions and Reset State Table and Reset Source Tracking.
This only works for a very short time, the reverts back to how it was.
The same goes for doing a PCAP on the WAN interface. Until I reset both these states I only see what I see in the logs i.e. just traffic that the firewall processes, not all traffic.
I can see why this might be, since the junk traffic might be overwhelming? What I am not sure is if this it normal, or if I can turn it off so I might accurately debug, see all traffic in logs and PCAP's without having to keep resetting all the time?
I am on version OPNsense 23.10.3-amd64, on official OPNSense hardware.
Many thanks in advance.
#4
General Discussion / Re: New VLAN unable to access internet
July 02, 2023, 10:24:50 PM
Figured the problem.
1st issue was that I had added a route for the subnet to the WAN gateway. This was a mistake, as any local subnets do not need this.
2nd issue was that I was configuring the VLAN for a guest captive portal. When I disabled the portal it started working.
Not sure if anyone will make same mistake, but hopefully useful if so.
1st issue was that I had added a route for the subnet to the WAN gateway. This was a mistake, as any local subnets do not need this.
2nd issue was that I was configuring the VLAN for a guest captive portal. When I disabled the portal it started working.
Not sure if anyone will make same mistake, but hopefully useful if so.
#5
General Discussion / New VLAN unable to access internet
July 01, 2023, 03:43:32 PM
Hi,
Have created a new VLAN. Internally this works, can ping the default gateway set on the firewall of 172.16.11.1. Devices get an IP address from DHCP running on the firewall. Have a rule that is fully open (any / any). Firewall log shows traffic being allowed, nothing blocking.
Assumed a routing / NAT'ing issue, although that seems to me to be configured OK?
Unable to see where I am going wrong, attached screenshots of the various configuration and logs.
https://drive.google.com/file/d/1uQvDNx2DgHTYDQPgurbf7nKqeK2fGxfy/view?usp=sharing
https://drive.google.com/file/d/12LZidB3ebAy2rJMgYUeVYy4oVC4BBLd4/view?usp=sharing
https://drive.google.com/file/d/1bX5JQprzcERiZhGOptB3VaNeT4dT3gCj/view?usp=sharing
https://drive.google.com/file/d/1Xesct-SFUqT9CdFwJaBuYF00YlMnM-0c/view?usp=sharing
https://drive.google.com/file/d/1Q0nI2jRZuJm5D4OFZBHlYf4R4ltvvhEl/view?usp=sharing
Many thanks in advance
Have created a new VLAN. Internally this works, can ping the default gateway set on the firewall of 172.16.11.1. Devices get an IP address from DHCP running on the firewall. Have a rule that is fully open (any / any). Firewall log shows traffic being allowed, nothing blocking.
Assumed a routing / NAT'ing issue, although that seems to me to be configured OK?
Unable to see where I am going wrong, attached screenshots of the various configuration and logs.
https://drive.google.com/file/d/1uQvDNx2DgHTYDQPgurbf7nKqeK2fGxfy/view?usp=sharing
https://drive.google.com/file/d/12LZidB3ebAy2rJMgYUeVYy4oVC4BBLd4/view?usp=sharing
https://drive.google.com/file/d/1bX5JQprzcERiZhGOptB3VaNeT4dT3gCj/view?usp=sharing
https://drive.google.com/file/d/1Xesct-SFUqT9CdFwJaBuYF00YlMnM-0c/view?usp=sharing
https://drive.google.com/file/d/1Q0nI2jRZuJm5D4OFZBHlYf4R4ltvvhEl/view?usp=sharing
Many thanks in advance
#6
General Discussion / Re: Unable to open ntopng WebGui, Site Not Reachable
May 21, 2023, 02:55:30 PM
This is now working.
Not sure what was clashing by I changed the default port of 30000 to 30010.
Some other things I learnt, if you get this error:
[Redis.cpp:120] ERROR: NOAUTH Authentication required.
Remove any configured password in the Redis configuration
Not sure what was clashing by I changed the default port of 30000 to 30010.
Some other things I learnt, if you get this error:
[Redis.cpp:120] ERROR: NOAUTH Authentication required.
Remove any configured password in the Redis configuration
#7
General Discussion / Unable to open ntopng WebGui, Site Not Reachable
May 20, 2023, 10:50:24 PM
Hi,
Having issues loading the WebGui of ntopng.
Followed these instructions:
https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html
Added a image that shows the following:
The following output shows the ntopng service running and ports open:
root@OPNsense:~ # service ntopng status
ntopng is running as pid 50179.
root@OPNsense:~ # sockstat | grep -i ntopng
ntopng ntopng 50179 1 udp4 192.168.0.254:49811 *:*
ntopng ntopng 50179 17 udp4 *:* *:*
ntopng ntopng 50179 20 tcp4 127.0.0.1:28116 127.0.0.1:6379
ntopng ntopng 50179 21 tcp4 127.0.0.1:22209 127.0.0.1:6379
ntopng ntopng 50179 24 udp4 *:41942 *:*
ntopng ntopng 50179 25 udp4 *:* *:*
ntopng ntopng 50179 27 tcp4 *:3000 *:*
The firewall has been rebooted. Tried using Web certificate and https, but makes no difference. Also deleted packages and re-added, also no difference.
Just wondered if anyone had any other ideas or advise.
Much appreciated in advance.
Having issues loading the WebGui of ntopng.
Followed these instructions:
https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html
Added a image that shows the following:
- Rdis and ntopng configuration
- Installed packages and versions
The following output shows the ntopng service running and ports open:
root@OPNsense:~ # service ntopng status
ntopng is running as pid 50179.
root@OPNsense:~ # sockstat | grep -i ntopng
ntopng ntopng 50179 1 udp4 192.168.0.254:49811 *:*
ntopng ntopng 50179 17 udp4 *:* *:*
ntopng ntopng 50179 20 tcp4 127.0.0.1:28116 127.0.0.1:6379
ntopng ntopng 50179 21 tcp4 127.0.0.1:22209 127.0.0.1:6379
ntopng ntopng 50179 24 udp4 *:41942 *:*
ntopng ntopng 50179 25 udp4 *:* *:*
ntopng ntopng 50179 27 tcp4 *:3000 *:*
The firewall has been rebooted. Tried using Web certificate and https, but makes no difference. Also deleted packages and re-added, also no difference.
Just wondered if anyone had any other ideas or advise.
Much appreciated in advance.
#8
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 11:31:57 PM
Ok, so this is me leading us down a slight garden path.
I've been running a constant ping to some Google addresses and equally doing some traceroutes to validate if the internet connectivity is working from 192.168.200.110. I've been doing the same on the other subnet and that works fine.
What actually seems the case is that browsing is working after playing with the NAT rule.
I've made sure the firewall is disabled on 192.168.200.110, but still the same.
Would still like to know why ping and tracert is not working on an any rule, but you have been very generous with your time and I've had us go around circles for a while.
The good news is the process and advise you have offered probably did the trick, so very much appreciated.
I've been running a constant ping to some Google addresses and equally doing some traceroutes to validate if the internet connectivity is working from 192.168.200.110. I've been doing the same on the other subnet and that works fine.
What actually seems the case is that browsing is working after playing with the NAT rule.
I've made sure the firewall is disabled on 192.168.200.110, but still the same.
Would still like to know why ping and tracert is not working on an any rule, but you have been very generous with your time and I've had us go around circles for a while.
The good news is the process and advise you have offered probably did the trick, so very much appreciated.
#9
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 11:17:46 PM
Think I just got it working, I ticket the box in the NAT rule:
No XMLRPC Sync
It still doesn't seem to be pinging or doing a tracert but nslookup worked and can seem to browse webpages.
Let me do a little more testing
No XMLRPC Sync
It still doesn't seem to be pinging or doing a tracert but nslookup worked and can seem to browse webpages.
Let me do a little more testing
#10
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 11:12:19 PM
That's the thing, only when I disable that NAT rule. Otherwise no, I see nothing.
Those entries in the screenshot from 192.168.200.110 in the live view show regularly until you enable the NAT?
Those entries in the screenshot from 192.168.200.110 in the live view show regularly until you enable the NAT?
#11
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 10:57:22 PM
Just playing with that, but yep! Set it back to 'WAN Address' all entries stop showing up from that subnet in the live view?
#12
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 10:43:30 PM
I do, but I had to turn off the NAT for that subnet 192.168.200.x/24. If I leave it enabled nothing shows in the live view from 192.168.200.110.
Image below with the NAT turned off:
Image below with the NAT turned off:
#13
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 10:25:50 PM
Tried that but doesn't seem to have helped.
I've attached the screenshots so that you can see, and the one you asked for.
Not other checkboxes that I can think of, its pretty much as it was out of the box. Strange right, should be a fairly simple thing to be able to do?
Probably going to be some kind of checkbox?
I've attached the screenshots so that you can see, and the one you asked for.
Not other checkboxes that I can think of, its pretty much as it was out of the box. Strange right, should be a fairly simple thing to be able to do?
Probably going to be some kind of checkbox?
#14
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 09:58:59 PM
That thought had crossed my mind, but there isn't the option for just 'WAN' like auto-rules? See image below.
Its strange. The routing is OK, the firewalls rules seem ok and being accepted, and the NAT is their but it is the firewall that is blocking it?
Its strange. The routing is OK, the firewalls rules seem ok and being accepted, and the NAT is their but it is the firewall that is blocking it?
#15
General Discussion / Re: Can't reach internet from another subnet
October 29, 2020, 09:10:20 PM
Thanks for getting back so quick.
Apologies, can see that why that was probably confusing.
I've added a diagram, and the route that points 192.168.200.x/24 to the internal router 192.168.0.250. I've also shown that I have also got a outbound NAT for the 192.168.200.x/24 network which I originally thought might be the issue, could be the way I've created it?
Anyway, hope that helps.
Many thanks
Apologies, can see that why that was probably confusing.
I've added a diagram, and the route that points 192.168.200.x/24 to the internal router 192.168.0.250. I've also shown that I have also got a outbound NAT for the 192.168.200.x/24 network which I originally thought might be the issue, could be the way I've created it?
Anyway, hope that helps.
Many thanks
