"
Thank you all for your advice. I'm a bit confused, I thought my scenario wasn't unusual and wouldn't require complicated solutions, but I guess I'm wrong.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
24.7, 24.10 Series / Re: State tracking issue with OPNsense in single-interface public IP setup
December 02, 2024, 04:47:42 PM #2
24.7, 24.10 Series / Re: State tracking issue with OPNsense in single-interface public IP setup
December 02, 2024, 04:09:53 PM
Thanks for the explanation. Since moving servers to a private network is not an option (due to Enhance control panel requirements for public IPs), is there a way to handle this asymmetric routing situation?
Specifically, can OPNsense be configured to properly handle state tracking when:
Initial SYN packets go directly from gateway (.80) to servers
Return traffic (SYN/ACK) goes through OPNsense (.85)
I understand this is not ideal, but disabling state tracking doesn't seem secure. Are there any settings for asymmetric routing that could help?
Specifically, can OPNsense be configured to properly handle state tracking when:
Initial SYN packets go directly from gateway (.80) to servers
Return traffic (SYN/ACK) goes through OPNsense (.85)
I understand this is not ideal, but disabling state tracking doesn't seem secure. Are there any settings for asymmetric routing that could help?
#3
24.7, 24.10 Series / State tracking issue with OPNsense in single-interface public IP setup
December 02, 2024, 03:28:40 PM
I have the following setup:
- Proxmox host with a /29 public subnet (148.251.196.80/29)
- OPNsense VM: 148.251.196.85, gateway: 148.251.196.80
- Web servers VMs: .81, .82, .83 with gateway set to .85 (OPNsense)
- Single WAN interface, no LAN
The goal is to have all traffic from web servers pass through OPNsense for filtering before reaching the provider's gateway.
Issue:
- With state tracking set to "keep state", traffic gets blocked with "Default deny / state violation rule"
- Only works when state tracking is set to "none"
- Floating rules don't help
- Even with global setting "Firewall Optimization" set to "conservative"
Basic connectivity works (ping, web traffic) but I'd like to understand:
1. Why state tracking doesn't work in this setup?
2. Is using "none" state tracking a secure approach?
3. Is there a better way to achieve this?
Thank you for any insights.
- Proxmox host with a /29 public subnet (148.251.196.80/29)
- OPNsense VM: 148.251.196.85, gateway: 148.251.196.80
- Web servers VMs: .81, .82, .83 with gateway set to .85 (OPNsense)
- Single WAN interface, no LAN
The goal is to have all traffic from web servers pass through OPNsense for filtering before reaching the provider's gateway.
Issue:
- With state tracking set to "keep state", traffic gets blocked with "Default deny / state violation rule"
- Only works when state tracking is set to "none"
- Floating rules don't help
- Even with global setting "Firewall Optimization" set to "conservative"
Basic connectivity works (ping, web traffic) but I'd like to understand:
1. Why state tracking doesn't work in this setup?
2. Is using "none" state tracking a secure approach?
3. Is there a better way to achieve this?
Thank you for any insights.
Pages1
