Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - julcol

Pages1
#1
25.1, 25.4 Series / Re: help understanding some traffic hits rule while similar traffic does not hit ru
March 19, 2025, 09:44:29 AM

@Patrick thanks for the info. Will change my config.

Just adding some info for context if anybody else arrive here. Looking at the logs in detail I can see that traffic is actually allowed trough the WAN interface, which never the less was the intention.


vlan01.73   match   block   in   4   0x0      64   0   0   DF   6   tcp   52   192.168.73.112   17.111.103.20
vlan01.73   match   block   in   4   0x0      64   0   0   DF   6   tcp   83   192.168.73.112   17.111.103.20
pppoe0   match   pass   out   4   0x0      63   0   0   DF   6   tcp   64   XX.XX.XX.XX   17.111.103.20
vlan01.73   match   pass   in   4   0x0      64   0   0   DF   6   tcp   64   192.168.73.113   17.111.103.20
pppoe0   match   pass   out   4   0x0      63   0   0   DF   6   tcp   64   XX.XX.XX.XX   17.111.103.20
vlan01.73   match   pass   in   4   0x0      64   0   0   DF   6   tcp   64   192.168.73.102   17.111.103.20
pppoe0   match   pass   out   4   0x0      63   0   0   DF   6   tcp   64   XX.XX.XX.XX   17.111.103.20
#2
25.1, 25.4 Series / help understanding some traffic hits rule while similar traffic does not hit ru
March 19, 2025, 09:26:03 AM
Hi,

I am running opnsense 25.1.3.

I have 4 VLANS. GENINT, LANNET, IOTNET, CAMNET.

In GENINT the last 2 rules are the ones in the pics
The second pic is the log of the firewall essentially allowing one traffic and blocking another one. Which for me should both trigger the pass rule.

Any hints about why my configuration is wrong ?

Thanks.

JC

#3
25.1, 25.4 Series / Re: [CLOSED]be aware newbie. Default deny /state violation rule
March 08, 2025, 10:46:48 AM


@viragomann

Thanks for you patience. Eventually you were right.

My PiHole container network IP address in Proxmox was set up as xxx.xxx.xxx.xxx/32 and should have been xxx.xxx.xxx.xxx/24.

Again, thanks for helping me reach to the right conclusions.

Regards.

JC

#4
25.1, 25.4 Series / Re: [CLOSED]be aware newbie. Default deny /state violation rule
March 05, 2025, 06:05:41 PM


Thus, why do I see pihole traffic....hosted in the same proxmox instance, being blocked at the firewall http/https? while nginx is showing up, only partially, https traffic is not showing up.

228 is nginx
17 is pihole.

Where is the magic that I am missing.
#5
25.1, 25.4 Series / [CLOSED]Re: be aware newbie. Default deny /state violation rule
March 05, 2025, 05:38:48 PM

I am going to close the discussion.

The webserver I was originally trying to log into is the console of a pi-hole installation I manually installed into a barebone debian LXC container. Something weird must be in there with networking and pihole that is beyond my understanding.

I installed a  nginx LXC container and it works at first try. So no firewall blocking. Interestingly it does not show up any traffic in the firewall log which is pretty weird. I log everything to see and learn.

I do not think continuing with the discussion adds any value.

Thanks to those who looked into it.

JC
#6
25.1, 25.4 Series / Re: be aware newbie. Default deny /state violation rule
March 05, 2025, 04:20:09 PM
Ok, Thanks for your response. I will try to clarify.

  • Webserver-LXC(IP -> DHCP opnsense)
  • opnsense-VM
  • Client/browser as a separate host connected to a common switch. Same subnet (IP -> DHCP from opnsense).

Webserver/opnsense hosted in same proxmox host. Share Linux Bridge vmbr0. vmbr0 bridges enp1s0 ethernet port  --> to physical bridge --> to client/browser.

This is what firewall reports when I open the browser and try to connect to the webserver

Code Select
LAN 2025-03-05T16:03:09 192.168.33.17:80 192.168.33.190:34198 tcp Default deny / state violation rule
LAN 2025-03-05T16:03:09 192.168.33.17:80 192.168.33.190:34186 tcp Default deny / state violation rule

Which  is pretty confusion because 192.168.33.17 is the webserver and 192.168.33.189 is the browser but the firewall shows as it was the other way around or so I understand.









#7
25.1, 25.4 Series / Re: be aware newbie. Default deny /state violation rule
March 05, 2025, 02:19:05 PM

That was pretty unhelpful. Had a bad day ? No need to post.

Your assumptions are incorrect.
#8
25.1, 25.4 Series / Re: be aware newbie. Default deny /state violation rule
March 05, 2025, 01:52:17 PM
Adding insult to injury,

can I assume that the anti lock out rules are void in this scenario, which is by default  in opnsense default installation. Give rule precedence, rule number 2 will match before 10/11 which are the anti-lockout rules isn't it ?

The attached is a print screen of my rules (floating)

I guess I am missing something important.

JC
#9
25.1, 25.4 Series / [CLOSED]be aware newbie. Default deny /state violation rule
March 05, 2025, 01:30:38 PM
My contex.

I have opnsense running on top of proxmox. In a container sharing the same bridge there is a web server I want to access the webserver from a host in the same subnet, physically separated from the proxmox server.

a)  host --> webserver  --> no connection ( yes ping)
b) webserver --> host  --> connects (yes pings).

Uhmm... ok because the rules applies to the interface, my host is seen as coming from outside the interface, regardless being in the same subnet.

I create a pass rule for this host, IN, LAN interface, LAN net, destination webserver/https.

However, I still get hit by the Default deny /state violation rule which  sits  in the default floating rules......

Is it correct my interpretation ? What would be the correct way to allow certain hosts to allow to connect to the webserver then ?  I am reluctant to change anything on the floating rules.

Thanks for your help

JC
#10
25.1, 25.4 Series / Re: (resolved) routing docker IPVLAN L3. Traffic goes out, but the is no return.
February 25, 2025, 04:39:24 PM
yes, sorry it was a typo. address.

Many Thanks !

JC
#11
25.1, 25.4 Series / (resolved) routing docker IPVLAN L3. Traffic goes out, but the is no return.
February 25, 2025, 04:00:35 PM

Hi,

I am setting up some container  in a docker IPVLAN L3, within a host.
I have added my host as a gateway for the subnet, in opnsense. (lesson learned)
I have added an explicit outbound NAT rule with source address my docker network  subnet and translation target my WAN net

Ping will lose 100% of traffic.
All outgoing connections get stuck.

I can see all my outgoing traffic in green and matched against a rules in firewall. There is no blocked traffic.

Can you guys help me figure out what am I missing ?

Thanks.

JC
#12
25.1, 25.4 Series / NOOB........ACME / Let's encrypt / OPNsense reboot.
February 12, 2025, 04:11:52 PM

Hi,

I have a fresh 25.2 instalation running as VM in Proxmox. I have pi-hole in a separate VM

I have open WAN to allow 80/443 from want to my opnsense ip instance.
I have created forwarding rules to redirect 80/443 traffic from wan to my opnsense server.
I have dynamic IP address, currently ddns via AWS Route53 via a hosted zone.
Wireward works perfectly.

Using the plugin

I have enabled the plugin
I have created an account
I have created a challenge  HTTP01 a per multiple suggestions due to DNS on pi-hole. I have set up HTTP Service to automatic port forward. Interface is WAN

I create certificate common name --> my domain in route53, accme account --> let's encrypt

I get this eventually in ACME Log

2025-02-12T16:02:10    acme.sh    [Wed Feb 12 16:02:10 CET 2025] Sleeping for 10 seconds and retrying.
2025-02-12T16:02:10    acme.sh    [Wed Feb 12 16:02:10 CET 2025] Cannot init API for: https://acme-staging-v02.api.letsencrypt.org/directory.
2025-02-12T16:02:10    acme.sh    [Wed Feb 12 16:02:10 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

Any  hints how can I overcome this problems ?

After doing this, internet connectivity fails and I have to reboot opnsense......pretty bad actually.

Thanks

JCG
Pages1