1
24.7 Production Series / Re: [Solved] Block rule matching, but pass rule is not matching
« on: September 09, 2024, 06:23:27 pm »
Thanks again for your help and time.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 09, 2024, 05:52:11 pm »
Brilliant! I forgot I can get to console by plugging in to HDMI. The proxmox address was 10.0.0.7/24(!) and my laptop was getting a 10.0.128.x address via DHCP. I set a 1.0.0.x static IP on my laptop and can reach the UI now. Thank you getting me unstuck with this, meyergru.
I'm interested to learn a bit more what's going on here. So was it Proxmox dropping the connection or OPNSense? And why would OPNSense show matches to the default deny, but it the case where I added an explicit block to Proxmox, it would show that one as matching?
I'm interested to learn a bit more what's going on here. So was it Proxmox dropping the connection or OPNSense? And why would OPNSense show matches to the default deny, but it the case where I added an explicit block to Proxmox, it would show that one as matching?
3
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 09, 2024, 03:53:43 pm »
1. Yes, the Orbi was my internet gateway during initial setup: ONT -> Orbi -> MiniPC on ETH1. I created two more bridges, one to be used for WAN and another for VLANs. Then I installed ONPSense, disconnected the Orbi and connected by laptop to ETH1 to configure OPNSense. Then I changed the Orbi to AP mode and set it up: ONT -> MiniPC -> Orbi.
2. Since I don't have access to Proxmox I can't double check this, but I believe OPNSense LAN is connected to vmbr0 and WAN is connected to vmbr1. Proxmox is also connected to vmbr0.
How would I be able to diagnose if there is a IP collision or broadcast storm? Pings are reaching 10.0.0.7. 10.0.0.7 is seemingly reaching out to NTP. I have connectivity through the AP to the internet.
2. Since I don't have access to Proxmox I can't double check this, but I believe OPNSense LAN is connected to vmbr0 and WAN is connected to vmbr1. Proxmox is also connected to vmbr0.
How would I be able to diagnose if there is a IP collision or broadcast storm? Pings are reaching 10.0.0.7. 10.0.0.7 is seemingly reaching out to NTP. I have connectivity through the AP to the internet.
4
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 09, 2024, 01:01:55 pm »
Keep in mind I'm pretty new to all this and I don't have access to Proxmox to verify some of what I'm about to say.
I set up Proxmox with my mini PC connected to my Orbi router. It got 10.0.0.7 via DHCP during setup from that router and set that as the static IP. The ONPSense ARP table has a Changwang Technology inc. MAC address for 10.0.0.7. What else can I look at?
Also, I'm not sure how how OPNSense rules work, but it doesn't make sense that I would see a Block for my 10.0.0.7 rule, but then when I change the action to Pass it hits the default deny instead.
I set up Proxmox with my mini PC connected to my Orbi router. It got 10.0.0.7 via DHCP during setup from that router and set that as the static IP. The ONPSense ARP table has a Changwang Technology inc. MAC address for 10.0.0.7. What else can I look at?
Also, I'm not sure how how OPNSense rules work, but it doesn't make sense that I would see a Block for my 10.0.0.7 rule, but then when I change the action to Pass it hits the default deny instead.
5
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 08, 2024, 10:30:24 pm »
In the rules.jpg screenshot I posted, I have the Pass for Proxmox before the Block. In this case it blocks on the default deny. If I flip the order so the Proxmox block is first, then that block hits rather than the default deny. They are copies of each other so I expected them to match in the same way. The only difference is the Action.
6
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 08, 2024, 10:14:31 pm »
Sorry typo! 10.0.0.7. Fixed above.
7
24.7 Production Series / Re: Block rule matching, but pass rule is not matching
« on: September 08, 2024, 09:35:28 pm »
As far as I know, 10.0.0.7 is Proxmox and 10.0.0.1 is OPNsense. Before setting up OPNsense, https://10.0.0.7:8006 is what I used to connect to the Proxmox web UI and https://10.0.0.1 is what I connect to to get to the OPNsense UI. It's very possible I messed something up and right now I can't get to Proxmox, so I can't check how that's set up.
I didn't think I need any rules and everything else is working as expected:
1. 10.0.0.7 (proxmox) is passing to NTP through OPNsense (via Default allow LAN to any rule)
2. Ping from my laptop is reach 10.0.0.7 and getting a response.
What I don't understand is:
1. Without any additional rules, laptop to 10.0.0.7:8006 is blocked via Default deny / state violation rule
2. When I add an explicit instant first Pass for 10.0.0.7:8006 it doesn't seem to hit and it still gets blocked by the default deny
3. When I add an explicit instant first Block for 10.0.0.7:8006 does hit
I feel like I'm at the end of what I can figure out and if nothing else might wipe everything and restart.
I didn't think I need any rules and everything else is working as expected:
1. 10.0.0.7 (proxmox) is passing to NTP through OPNsense (via Default allow LAN to any rule)
2. Ping from my laptop is reach 10.0.0.7 and getting a response.
What I don't understand is:
1. Without any additional rules, laptop to 10.0.0.7:8006 is blocked via Default deny / state violation rule
2. When I add an explicit instant first Pass for 10.0.0.7:8006 it doesn't seem to hit and it still gets blocked by the default deny
3. When I add an explicit instant first Block for 10.0.0.7:8006 does hit
I feel like I'm at the end of what I can figure out and if nothing else might wipe everything and restart.
8
24.7 Production Series / [Solved] Block rule matching, but pass rule is not matching
« on: September 08, 2024, 02:26:54 pm »
I'm very new to using OPNsense. I followed https://www.youtube.com/watch?v=VcTGKBHcqmk to set up Proxmox + OPNsense, but after getting everything set up, I lost access to the Proxmox web UI and SSH.
I'm trying to connect via:
Laptop → Orbi router in AP mode → Mini PC running Proxmox/OPNsense ETH1 bridged → Proxmox static 10.0.0.7
I can ping 10.0.0.7, and in the OPNsense logs I see calls out to NTP from 10.0.0.7. I also have an internet connection through OPNsense/Proxmox. But when I try to open the web UI or ssh, I hit the base rule "Default deny / state violation rule". I tried adding both an instant first match pass and a first match block rule specific to 10.0.0.7. The block rule hits, the pass does not as far as I can tell.
I'm trying to connect via:
Laptop → Orbi router in AP mode → Mini PC running Proxmox/OPNsense ETH1 bridged → Proxmox static 10.0.0.7
I can ping 10.0.0.7, and in the OPNsense logs I see calls out to NTP from 10.0.0.7. I also have an internet connection through OPNsense/Proxmox. But when I try to open the web UI or ssh, I hit the base rule "Default deny / state violation rule". I tried adding both an instant first match pass and a first match block rule specific to 10.0.0.7. The block rule hits, the pass does not as far as I can tell.
Pages: [1]