Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - terry356

Pages1
#1
General Discussion / Re: Basic rule; help allowing blocked traffic WAN to LAN device
February 09, 2025, 08:57:42 PM
re: upnp... I found some Cisco doc from 2020/21 that notes the Meraki MX68 did not support UPnP, so I must have set something else to enable it to work.

I did find a thread in the netgate forums that had some good information related to the Meraki behind pfsense that I have not been able to find in other parts of the web related to Opnsense, but of everything in there someone referenced resetting the state table... I did that and everything started working!  I expect all my bumbling with turning rules on/off, making changes with 1:1 Nat etc made a mess for the state table.

This is the thread for reference if someone else has one of these things in the future I wish I had found it a week ago. 
     
https://forum.netgate.com/topic/151649/pfsense-and-meraki-z3/8

Once it was working I removed all the related stuff I had added in there until I was able to break it. 

It seems I need to have 3 things set.

-The alias for the device with static dhcp assignment.
-A WAN rule for any source, any port with Meraki alias as the destination
-1:1 NAT on the WAN interface, type BINAT, external network (my ISP assigned IP), with source of single host from the LAN (meraki) 192.168.1.175, and destination any, with nat reflection enabled.

Ive removed the port forwarding that IT recommended as well, I assume my rule and 1:1 nat basically exposed the Meraki directly to the web. 

Still learning here and would like to understand this better.  Would greatly appreciate any feed back on if this is the correct way to do this?  (I have no doubt its not). I dont fully understand the 1:1 NAT, even my WAN rule seems too wide open to me.   It is working for now at least.


thanks
 




#2
General Discussion / Basic rule; help allowing blocked traffic WAN to LAN device
February 08, 2025, 07:53:49 PM
Hello, I have recently moved to Opnsene from Untangle on a Protectcli.

I have basic functions in Opnsense LAN devices get proper DHCP IP, access to the web through WAN 100% functional.  No issues there.

A company I do work for provided me a Meraki MX68 so I can reach their secure network, dont remember doing anything under Untangles configuration when i set it up years ago being setup but the Meraki has always worked behind the Untangle firewall.

I created a dhcp reservation for the Meraki, and Ive tried to create an Alias from some other examples as well, but I cant seem to figure out how to build a proper rule so the Meraki can receive whatever it needs from the WAN port unblocked.

Their IT group who provided the Meraki told me all I need is port forward for UPD 1900 to be forwarded through the firewall to the Meraki (192.168.1.175), thats in place but Seems like there is more to this.  When I look at the log live view I see a lot of Default deny/state violation rule events, I expect thats the traffic trying to come back to the Meraki to function.

Is there a safe way to allow the Meraki to have two way unblocked traffic through the WAN port?  Like a DMZ just for this internal IPd device?   Im sure there is a rule to do this correctly but Im not making any progress with what I can find online, and likely overcomplicating this.


Any recommendations to resource or some advice on what I should be looking for online as far as examples or similar configurations would be appreciated.  Any rules Ive created trying this Ive removed, I was likely headed in the wrong direction anyway.


Greatly appreciate any help.
thanks
Terry





Pages1