Messages

Hi,

I'll try to give a picture of my plan:

I have a network, seperatet in 8 VLANs. 4 of them are labeled as production, 4 as office.
Goal: I want to set up a OPNsense firewall between office and production, first with simple rules, upgrade to IDS/IPS later on the way.
The OPNSense will not serve as NAT router, the internet access is handled by another (working) OPNsense

VLAN 1, 821, 940 and 800 are labeled production
VLAN 300,316,399 and 909 are office.

I have built a OPNSense with 2x 10GB SFP+ ports
on ix0 there's a switch, serving VLAN 316 (Tagged), 399(tagged) and 909 (tagged) and 300 untagged
on ix1 there's a switch serving VLAN 821 (tagged), 940 (tagged) and 800 (tagged) and 1 untagged

The "internet OPNSense" is in VLAN1

So basic setup
WAN --> ix1 with IP 192.168.206.251/24 (upstream OPNSense Gateway is 192.168.206.253/24)
LAN --> ix0 with IP 172.23.1.1
NAT: outbound NAT is disabled

For the problem, only VLAN 1 and VLAN300 are relevant, as I do not have any more clients by the time writing.

I setup 2 VMs, one in VLAN1 and one in VLAN300 (IPs: 192.168.206.20 and 172.23.1.200)
Both with the VMs are using the OPNSense IPs as gateway.

In LAN there are the following services needed to be reached from WAN/Production
DNS on 172.23.1.10
ICMP on 172.23.1.10 (for diagnostic purposes)
SMB on 172.23.1.200
SMB on 192.168.206.20 from Office nets

So I created the following ruleset:
Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.10/32
Port: 53

Interface WAN
Protocol IPv4 ICMP
Source Alias for 192.168.206.20/32
Destination 172.23.1.10/32
Port: any

These rules work as they should, DNS querys from VLAN1 work

So I added the next rule
Interface WAN
Protocol IPv4 ICMP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: any

To check if the SMB server is reachable from VLAN1 via Ping: works
So I added the SMB rules:
Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 445

Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 137

Interface WAN
Protocol IPv4 UDP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 138

Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 137

Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 139

and
Interface WAN
Protocol IPv4 TCP
Source Alias for 192.168.206.20/32
Destination 172.23.1.200/32
Port: 443
for SMB over QUIC

The same ruleset is in Interface LAN with Source and destination switched.

I hope this is clear till now.

From LAN interface to WAN Interface (means: SMB from 172.23.1.200 to 192.168.206.20) works
From WAN interface to LAN Interface (means: SMB from 192.168.206.20 to 172.23.1.200 ) does not work

There are no dropped packets in the live view, so I do not really get a hint what's not working. Actually all packets show up as expected
If I deactivate the paket filter in Firewall / Settings / Advanced it works both ways.

Windows Firewall is deactivated on both sides to rule out the problem

How can I get an idea what's causing the problem?
Windows Error Reporting says: SMB share is online but not responding
On each interface the "Block private networks" setting is disabled

If there are any questions, I'll be happy to answer

Good morning,

actually I don't get my head around this problem. I am aware that this also might be a provider issue, but I'd like to solve this "the opnsense way"

Basics:
I have an OPNSense  23.7.1-amd64 on bare metal with 5 NICs, 2x WAN, 1x LAN, 1x DMZ and 1x guest network.
The WAN sides are 2x fiber with a /29 and a /28 network IPv4 network and a /64 and a /48 IPv6 network.
I have a 2nd virtualized OPNSense (23.7.2-amd64) with the same NICs (just virtualized) on Hyper-V (if that matters)

The whole configuration as a HA cluster with CARP addresses. This works so far, even with outgoing NAT, so that my external IP is always the CARP address of one of the WAN connections (depending on which one is active) and also incoming services that are on the CARP addresses. So far so good


There is a PBX in the network that connects to a SIP trunk, using a single CARP IP from the /28 IPv4 network for incoming and outgoing traffic. No other services are incoming and/or outgoing on this IP, but only the NAT ports forwarded that are necessary according to the manufacturer are incoming (i.e. no 1:1 NAT).
This works very well, BUT

Basically, the system works as long as the primary firewall is active. If the secondary (i.e. the virtualized one) takes over, the telephone system loses connectivity. It has internet access and all, but it takes about 20-25min before she can log on to the SIP trunk again - I assume that's the way the SIP trunk provider (Vodafone, if that matters, fiber optic connections (both) also Vodafone) does this is wanted, since the MAC address changes on the WAN connection. I had a similar issue on another site where I changed firewall from Sophos to OPNSense (and back to sophos for other reasons) - after each change the SIP trunk registration was unavailable for 20 to 25 minutes

How to deal with this? Just for fun, I set the MAC address of the failover WAN interface to the MAC of the WAN interface of the primary firewall with the result that nothing worked at all on the failover, I assume because both firewalls connect to the same modem.
Does anyone have an idea? Or am I on the wrong track?
I am aware, in case of a failover that connections might drop, but not the whole registration - I mean providing (internet) telephony was kind of a target by making the internet high availabe.

Greetings from Germany