1
General Discussion / Traffic blocked by default deny rule
« on: September 14, 2022, 04:36:36 pm »
Hey everyone,
I'm currently stuck trying to get traffic to not be blocked by the default deny rule. I have the following setup:
- A Proxmox host which has multiple interfaces:
- red: 10.14.0.6/24 (attached to a physical port, the firewall gets 10.14.0.5 from a dhcp server I don't control)
- green: 10.0.254.1/16 (purely virtual, opnsense has 10.0.0.254 set as a static ip)
both of those interfaces are attached to the opnsense VM, red is wan and green is lan. All other VMs are only attached to the green interface and their traffic is routed through opnsense, they get their IPs from a dhcp server running on one of the VMs.
In addition to that, the Proxmox runs a WireGuard server, which I use to access it from the outside. Through this WireGuard server, I want to be able to access all the VMs inside the 10.0.0.0/16 network. After creating a new gateway in opnsense for the Proxmox (10.0.254.1), and adding a route for 10.1.1.0/24(the WireGuard network) via this gateway, I was able to ping all VMs.
But when I try to connect to them using ssh or http, the request arrives at the server, but the response is blocked by the default deny rule. I have no Idea why and how to troubleshoot this further, I even tried to create a default allow rule with no success.
When I manually add the route to a vm like so `ip route add 10.1.1.0/24 via 10.0.254.1`, it works without a problem, because the traffic is not routed through the opnsense anymore.
I'd be happy about any idea on how to solve this
Regards,
Dorian
I'm currently stuck trying to get traffic to not be blocked by the default deny rule. I have the following setup:
- A Proxmox host which has multiple interfaces:
- red: 10.14.0.6/24 (attached to a physical port, the firewall gets 10.14.0.5 from a dhcp server I don't control)
- green: 10.0.254.1/16 (purely virtual, opnsense has 10.0.0.254 set as a static ip)
both of those interfaces are attached to the opnsense VM, red is wan and green is lan. All other VMs are only attached to the green interface and their traffic is routed through opnsense, they get their IPs from a dhcp server running on one of the VMs.
In addition to that, the Proxmox runs a WireGuard server, which I use to access it from the outside. Through this WireGuard server, I want to be able to access all the VMs inside the 10.0.0.0/16 network. After creating a new gateway in opnsense for the Proxmox (10.0.254.1), and adding a route for 10.1.1.0/24(the WireGuard network) via this gateway, I was able to ping all VMs.
But when I try to connect to them using ssh or http, the request arrives at the server, but the response is blocked by the default deny rule. I have no Idea why and how to troubleshoot this further, I even tried to create a default allow rule with no success.
When I manually add the route to a vm like so `ip route add 10.1.1.0/24 via 10.0.254.1`, it works without a problem, because the traffic is not routed through the opnsense anymore.
I'd be happy about any idea on how to solve this
Regards,
Dorian