Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - SuperModerate

Pages1
#1
General Discussion / Re: Difficulty with DMZ traffic
November 14, 2024, 01:01:27 AM
Thanks for the replies team!

I was originally turned off VLANs because I was told they could add unnecessary complications but it looks like I may have done that by avoiding them  ::)

I'll have a look at both VLANs and RIP, this should be enough to get me unblocked, thanks!
#2
General Discussion / Difficulty with DMZ traffic
November 13, 2024, 03:59:08 AM
Hey everyone, I've been agonising over this for a couple of days now, hoping someone here can help me out.

I am trying to setup a couple of opnsense firewalls to create a secure internal network and DMZ environment.  The layout would be `Internet` -> `FW1` -> `DMZ` -> `FW2` -> `Internal Network`.

Eventually I would like to get physical devices for these firewalls but for now they are just running as VMs in Proxmox.  Relevant network details:
   - Proxmox host IP `192.168.50.31`
   - FW1 VM (In DMZ) LAN IP: `192.168.51.100`
   - FW2 VM (In Internal Network) LAN IP: `192.168.50.100`
   - FW2 VM WAN IP: `192.168.51.101`
   - Proxmox physical interfaces: `eno1` (1Gbps), `enp5s0` (2.5Gbps)
   - Proxmox virtual interfaces:
      - `vmbr0` (Linux bridge to enp5s0) used for the Internal Network - mapped to FW2 LAN interface
      - `vmbr1` used for the DMZ - mapped to FW2 WAN interface and FW1 LAN interface
      - `vmbr3` - (Linux bridge to eno1) - passed to FW1, unused at the moment but eventually will be connected to the WAN interface to access internet.
   - FW2 WAN interface (`192.168.51.101`) gateway set to FW1 LAN interface (`192.168.51.100`).
   - "Block private networks" unchecked on all interfaces on both FWs (will reenable where relevant once this issue is resolved)
   - NAT disabled on FW2

When I try to ping FW1 (`192.168.51.100`) from a machine on the `192.168.50.0/24` network, the ping manages to get through FW2 and to FW1 but FW1 drops it due to the "Default deny / state violaiton" rule.  I am struggling to determine why this rule is matching, my understanding is that just about everything coming in and then out of the LAN should be allowed by default.

At first I thought that this was something like asymmetric routing causing issues.  To diagnose this I tried to disable packet filtering entirely on FW1 to check packets take the same route back to host pinging the FW.  Unfortunately `traceroute` only shows the first hop (to FW2 LAN interface `192.168.50.100`), after that I just get (`* * *`).  In lieu of this I just checked the routing table and FW1 definitely sends traffic destined for `192.168.50.0/24` to `192.168.51.101` which seems correct.

I should also mention that I am having trouble capturing packets which is making diagnoses a little more difficult.  I'm not sure if I'm just using the tool wrong or what but when I set up a packet capture and send a ping that definitely travels through the interface, nothing shows up in the console.

Apologies for the kinda long winded post, I wanted to get all the details that might be relevant in.  Does anyone have any idea what the cause of this could be or how I can resolve?  Or even how I can take further steps to diagnose because I'm at a bit of a loss.
Pages1