"
Hello,
I am trying to setup a firewall in my network using promox virtual environment (pve 6.4-13) and opnsense 21.7.1
My network configuration is completely based on the lab network in the book "practical opnsense" 3rd edition available at https://practical-opnsense.github.io/network_diagram.png
I am only interested by RT-core, RT-1 and labsrv
I Installed these 3 VMs and performed some tests:
root@tr-rt-core:~ # ping -c 2 198.51.100.1 -> ok
root@tr-rt-1:~ # ping -c2 198.51.100.6 -> ok
tr-labsrv:~$ ping -c2 10.4.1.1 -> ok
root@tr-rt-1:~ # ping -c2 10.4.1.7 -> ok
root@tr-rt-1:~ # nc -vz 10.4.1.7 80
Connection to 10.4.1.7 80 port [tcp/http] succeeded!
root@tr-rt-1:~ # curl --head http://10.4.1.7
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Tue, 02 Nov 2021 10:46:20 GMT
Content-Type: text/html
1:1 NAT Configuration:
1- virtual ip added in interfaces: virtual IPs: settings interface: Mode IP alias, WAN1 @IP 198.51.100.7/24
2- WAN1 : nat rule added in firewall:NAT:one-to-one: external network:198.51.100.7, Source 10.4.1.7/24, destination any
3- WAN1 : firewall rule added in firewall : rules: wan1, Action: pass, Direction:in, protocol: TCP, Source: any, Destination 10.4.1.7, Destination port: HTTP, log
Test:
root@tr-rt-core:~ # curl --head http://198.51.100.7
curl: (28) Failed to connect to 198.51.100.7 port 80 after 75061 ms: Operation timed out
Log files:
root@tr-rt-1:~ # tail -f /var/log/filter/filter_20211108.log | grep tcp
Nov 9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 82,,,4be542e5a1205456ac7c9a8d1ae07a3f,vtnet4,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS
Nov 9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 94,,,11bc15649131440ccf0d0ea7ff44c37a,vtnet2,match,pass,out,4,0x0,,63,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS
Packets are leaving DMZ interface correctly...
But nginx server is not requested:
tr-labsrv:/var/log/nginx$ sudo tail -f *.log -> nothing
# tcpdump -i vtnet2 -c 50 -n --number
15:30:21.611152 IP 198.51.100.6.54681 > 10.4.1.7.80:Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0
sudo tcpdump -i ens18 -c 50 -n --number
15:30:20.162696 IP 198.51.100.6.54681 > 10.4.1.7.80: Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0
I do not understand what happens.
Would you help please?
Thanks
Configuration: other information
OPNsense 21.7.4-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021
Proxmox :
pve 6.4-13
firewall disabled on all VMs, node and datacenter
nat table empty
cat /proc/sys/net/ipv4/ip_forward -> 1
VMs configuration
tr-rt-1
• net0 -> vmbr101 -> virtio= EE:FF:9B:0C:D3:66 -> vtnet0 -> LAN -> 10.1.1.1
• net1 -> vmbr0 -> virtio= 2E:53:9D:E9:27:FB -> vtnet1 -> ADM -> management network
• net3 -> vmbr104 -> virtio=EA:D4:52:8F:6F:50 ->vtnet2 -> DMZ -> 10.4.1.1
• net4 -> vmbr192 -> virtio= 42:E7:D4:C3:5B:9A -> vtnet3 -> WAN2 -> 192.0.2.1
• net5 -> vmbr198 -> virtio= 8E:E0:99:D1:5B:08 -> vtnet4 -> WAN1 -> 198.51.100.1
tr-rt-core
• net 0 -> vmbr198 -> virtio= 9A:A0:EB:C0:42:EF ->vtnet0 -> WAN1 -> 198.51.100.6
• net 1-> vmbr192 -> virtio= C2:16:AE:8D:1B:C1 ->vtnet1 -> WAN2 -> 192.0.2.6
• net 2 -> vmbr0 -> virtio= 8E:34:13:7C:4A:F6 ->vtnet2 -> ADM -> management network
labsrv
• nginx installed, listenning port 80
• net 0 ->vmbr104 -> virtio= 12:F1:8A:B9:9C:4C -> 10.4.1.7
• net1 -> vmbr0 -> virtio= 82:D2:55:AF:FD:87 management network
I am trying to setup a firewall in my network using promox virtual environment (pve 6.4-13) and opnsense 21.7.1
My network configuration is completely based on the lab network in the book "practical opnsense" 3rd edition available at https://practical-opnsense.github.io/network_diagram.png
I am only interested by RT-core, RT-1 and labsrv
I Installed these 3 VMs and performed some tests:
root@tr-rt-core:~ # ping -c 2 198.51.100.1 -> ok
root@tr-rt-1:~ # ping -c2 198.51.100.6 -> ok
tr-labsrv:~$ ping -c2 10.4.1.1 -> ok
root@tr-rt-1:~ # ping -c2 10.4.1.7 -> ok
root@tr-rt-1:~ # nc -vz 10.4.1.7 80
Connection to 10.4.1.7 80 port [tcp/http] succeeded!
root@tr-rt-1:~ # curl --head http://10.4.1.7
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Tue, 02 Nov 2021 10:46:20 GMT
Content-Type: text/html
1:1 NAT Configuration:
1- virtual ip added in interfaces: virtual IPs: settings interface: Mode IP alias, WAN1 @IP 198.51.100.7/24
2- WAN1 : nat rule added in firewall:NAT:one-to-one: external network:198.51.100.7, Source 10.4.1.7/24, destination any
3- WAN1 : firewall rule added in firewall : rules: wan1, Action: pass, Direction:in, protocol: TCP, Source: any, Destination 10.4.1.7, Destination port: HTTP, log
Test:
root@tr-rt-core:~ # curl --head http://198.51.100.7
curl: (28) Failed to connect to 198.51.100.7 port 80 after 75061 ms: Operation timed out
Log files:
root@tr-rt-1:~ # tail -f /var/log/filter/filter_20211108.log | grep tcp
Nov 9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 82,,,4be542e5a1205456ac7c9a8d1ae07a3f,vtnet4,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS
Nov 9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 94,,,11bc15649131440ccf0d0ea7ff44c37a,vtnet2,match,pass,out,4,0x0,,63,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS
Packets are leaving DMZ interface correctly...
But nginx server is not requested:
tr-labsrv:/var/log/nginx$ sudo tail -f *.log -> nothing
# tcpdump -i vtnet2 -c 50 -n --number
15:30:21.611152 IP 198.51.100.6.54681 > 10.4.1.7.80:Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0
sudo tcpdump -i ens18 -c 50 -n --number
15:30:20.162696 IP 198.51.100.6.54681 > 10.4.1.7.80: Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0
I do not understand what happens.
Would you help please?
Thanks
Configuration: other information
OPNsense 21.7.4-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021
Proxmox :
pve 6.4-13
firewall disabled on all VMs, node and datacenter
nat table empty
cat /proc/sys/net/ipv4/ip_forward -> 1
VMs configuration
tr-rt-1
• net0 -> vmbr101 -> virtio= EE:FF:9B:0C:D3:66 -> vtnet0 -> LAN -> 10.1.1.1
• net1 -> vmbr0 -> virtio= 2E:53:9D:E9:27:FB -> vtnet1 -> ADM -> management network
• net3 -> vmbr104 -> virtio=EA:D4:52:8F:6F:50 ->vtnet2 -> DMZ -> 10.4.1.1
• net4 -> vmbr192 -> virtio= 42:E7:D4:C3:5B:9A -> vtnet3 -> WAN2 -> 192.0.2.1
• net5 -> vmbr198 -> virtio= 8E:E0:99:D1:5B:08 -> vtnet4 -> WAN1 -> 198.51.100.1
tr-rt-core
• net 0 -> vmbr198 -> virtio= 9A:A0:EB:C0:42:EF ->vtnet0 -> WAN1 -> 198.51.100.6
• net 1-> vmbr192 -> virtio= C2:16:AE:8D:1B:C1 ->vtnet1 -> WAN2 -> 192.0.2.6
• net 2 -> vmbr0 -> virtio= 8E:34:13:7C:4A:F6 ->vtnet2 -> ADM -> management network
labsrv
• nginx installed, listenning port 80
• net 0 ->vmbr104 -> virtio= 12:F1:8A:B9:9C:4C -> 10.4.1.7
• net1 -> vmbr0 -> virtio= 82:D2:55:AF:FD:87 management network
