Messages

[Additional Configuration Information]

The issue below was caused by LAN networking problems. I needed to configure the default gateway on the clients and the switch. After doing that, the port forwarding configuration on the firewall worked perfectly.


I'm working with a network such as the following.

Code Select Expand

             __   _
           _(  )_( )_
          (_   _    _) Internet
            (_) (__)
              |
          .---'--------------.   
          | Company Firewall |
          '---.--------------'
              |
              |
          .---'--------------------------.
          | 192.168.100.0/24 WAN Network |
          '------.-----------------------'
                 |
                 | WAN (WAN_EXTERNAL)
  .--------------'------------------------------.
  |           192.168.100.92                    |
  |          OPNsense Firewall                  |
  | 192.168.1.1                      172.16.0.6 |
  '----.-----------------------------------.----'
       | LAN                               | LAN_ADMIN
       | (LAN_MGMT)                        | (opt1)
.------'---------------------.    .---------------------------------.
| 192.168.1.0/24 LAN Network |    | 172.16.0.0/24 ADMIN-LAN Network |
'----------------------------'    '---------------------------------'


I have an OPNsense Firewall deployed in the lab.

The WAN side of the OPNSense Firewall is our internal company network that is protected from the Internet by the Company Firewall.

The OPNsense Firewall's LAN interface is only used for management. it's a copper network with basically one computer connected to interface with it.

I've added a LAN_ADMIN interface on OPT1, which is a fiber network.

The LAN_ADMIN interface has all the same firewall rules as the LAN interface, adjusted appropriately. (i.e. Default allow LAN_ADMIN to any for IPv4 and IPv6).

I want to enable port forwarding so that doing ssh from the 192.168.100.0/24 network (WAN) to the OPNsense Firewall is actually port forwarded to doing ssh on 172.16.0.2 in the LAN_ADMIN interface.

i.e.
ssh 192.168.100.92 is port forwarded to ssh 172.16.0.2

I've followed this guide but it's not working for me.

The ssh attempt fails with the message "Connection timed out"

An example of the error follows:

Code Select Expand


C:\Users\rocha\Desktop>ssh -vvvv 192.168.100.92
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug3: Failed to open file:C:/Users/rocha/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 192.168.100.92 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\rocha/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\rocha/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.100.92 [192.168.100.92] port 22.
debug3: finish_connect - ERROR: async io completed with error: 10060, io:0000020C20C216E0
debug1: connect to address 192.168.100.92 port 22: Connection timed out
ssh: connect to host 192.168.100.92 port 22: Connection timed out



Additional Configuration Information Firewall : Settings : Advanced

Code Select Expand


Reflection for port forwards : Enabled
Reflection for 1:1: Disabled
Automatic outbound NAT for Reflection: Enabled
Disable reply-to: Enabled


Log information Firewall : Log Files : Live View

When the ssh is started I see the following entries in the logs

Code Select Expand


Interface      Time                       Source                Destination          Proto  Label
WAN_EXTERNAL   2024-07-09T13:49:23-07:00  192.168.100.92:123    198.137.202.32:123   udp    let out anything from firewall host itself (force gw)   
LAN_ADMIN      2024-07-09T13:49:14-07:00  192.168.200.44:54263  172.16.0.2:22        tcp    let out anything from firewall host itself   
WAN_EXTERNAL   2024-07-09T13:49:14-07:00  192.168.200.44:54263  172.16.0.2:22        tcp    FORWARD SSH TO NODE ON ADMIN LAN   
WAN_EXTERNAL   2024-07-09T13:49:14-07:00  192.168.200.44:54263  192.168.100.92:22    tcp    rdr rule

Any tips or suggestions for how to proceed would be appreciated.

Thank you Patrick.

Your tip prompted me to search the forum for "reply-to" and I found the thread "Reply-to on WAN by default is bogus" at https://forum.opnsense.org/index.php?topic=15900.

Which pretty much explained my situation, along with some other unexpected behavior.

I've disabled the setting and am happy to report that DHCP assigned WAN interface is now working from all my desired locations.

Hello,

I'm having a challenge that I just don't know how to resolve/debug.

I am enabling the the ability to access the web management interface from the WAN. (yes I know this is not most secure way to do this. We're using the firewall in our internal network behind another firewall. We're not worried about the security aspect at this point.).

The WAN interface has the following rule to allow this:

Action: Pass
Protocol: TCP
source: any
destination: This Firewall
destination port: HTTPS
Log: Enabled


We also have two subnets in the WAN space 192.168.100.0/24 and 192.168.200.0/24 that may need to access the web configuration.

The accessibility of the WEB interface changes based on how the IP address is assigned.

Our DHCP is configured so that the WAN interfaces always gets the address 192.168.100.92.

If the WAN interface is configured to use DHCP then it is accessible from 192.168.200, but it is NOT accessible from 192.168.100.

If I change the WAN interface to use static, and use the SAME address (192.168.100.92), then it is NOT accessible from 192.168.200 but it IS accessible from 192.168.100.


If it is configured as    192.168.100      192.168.200
----------------------    --------------   ---------------
192.168.100.92 static     accessible       NOT accessible
192.168.100.92 dhcp       NOT accessible   accessible


I am baffled by this because nodes in 192.168.100 can ping nodes in 192.168.200 and vice versa, and I don't know why static vs dhcp configuration would have an impact like this.

Any clues, thoughts or tips would be greatly appreciated.