Messages

1

General Discussion / Re: Difficulty with DMZ traffic

« on: November 14, 2024, 01:01:27 am »

Thanks for the replies team!

I was originally turned off VLANs because I was told they could add unnecessary complications but it looks like I may have done that by avoiding them 

I’ll have a look at both VLANs and RIP, this should be enough to get me unblocked, thanks!

2

General Discussion / Difficulty with DMZ traffic

« on: November 13, 2024, 03:59:08 am »

Hey everyone, I've been agonising over this for a couple of days now, hoping someone here can help me out.

I am trying to setup a couple of opnsense firewalls to create a secure internal network and DMZ environment.  The layout would be `Internet` -> `FW1` -> `DMZ` -> `FW2` -> `Internal Network`.

Eventually I would like to get physical devices for these firewalls but for now they are just running as VMs in Proxmox.  Relevant network details:
   - Proxmox host IP `192.168.50.31`
   - FW1 VM (In DMZ) LAN IP: `192.168.51.100`
   - FW2 VM (In Internal Network) LAN IP: `192.168.50.100`
   - FW2 VM WAN IP: `192.168.51.101`
   - Proxmox physical interfaces: `eno1` (1Gbps), `enp5s0` (2.5Gbps)
   - Proxmox virtual interfaces:
      - `vmbr0` (Linux bridge to enp5s0) used for the Internal Network - mapped to FW2 LAN interface
      - `vmbr1` used for the DMZ - mapped to FW2 WAN interface and FW1 LAN interface
      - `vmbr3` - (Linux bridge to eno1) - passed to FW1, unused at the moment but eventually will be connected to the WAN interface to access internet.
   - FW2 WAN interface (`192.168.51.101`) gateway set to FW1 LAN interface (`192.168.51.100`).
   - "Block private networks" unchecked on all interfaces on both FWs (will reenable where relevant once this issue is resolved)
   - NAT disabled on FW2

When I try to ping FW1 (`192.168.51.100`) from a machine on the `192.168.50.0/24` network, the ping manages to get through FW2 and to FW1 but FW1 drops it due to the "Default deny / state violaiton" rule.  I am struggling to determine why this rule is matching, my understanding is that just about everything coming in and then out of the LAN should be allowed by default.

At first I thought that this was something like asymmetric routing causing issues.  To diagnose this I tried to disable packet filtering entirely on FW1 to check packets take the same route back to host pinging the FW.  Unfortunately `traceroute` only shows the first hop (to FW2 LAN interface `192.168.50.100`), after that I just get (`* * *`).  In lieu of this I just checked the routing table and FW1 definitely sends traffic destined for `192.168.50.0/24` to `192.168.51.101` which seems correct.

I should also mention that I am having trouble capturing packets which is making diagnoses a little more difficult.  I'm not sure if I'm just using the tool wrong or what but when I set up a packet capture and send a ping that definitely travels through the interface, nothing shows up in the console.

Apologies for the kinda long winded post, I wanted to get all the details that might be relevant in.  Does anyone have any idea what the cause of this could be or how I can resolve?  Or even how I can take further steps to diagnose because I'm at a bit of a loss.