OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of eth0 »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - eth0

Pages: [1]
1
20.7 Legacy Series / How is my pass rule different from default (which works, while mine doesn't)?
« on: November 22, 2020, 06:58:14 pm »
Another newbie question...

I'm trying to access a bridged cable modem's web UI that responds at 192.168.100.1:80 on the WAN interface. This works fine using the default Floating rule "let out anything from firewall host itself" (pass IPv4+6 to any).

However if I define my own WAN firewall rule (pass IPv4 to 192.168.100.1 only), so I could also block any other private addresses from leaking out on WAN, the browser can no longer load the UI (server not responding). There's nothing else blocking it, I have turned on logging on all WAN and Floating rules.

I can't view the actual definition of the default rule beyond what's shown in the firewall rules list, but on that level I don't see any difference to my own rule.

Could this be some kind of a gateway issue, as the modem's IP is outside of the WAN interface's subnet?

Doing a packet capture on WAN with the default rule, I see that communication happens between the firewall host's WAN address and 192.168.100.1, and the session soon proceeds into HTTP headers and such. With my own rule, after each response from 192.168.100.1 to the firewall host, it sends (or tries) another response to 192.168.0.101 (the laptop where I'm running the browser), and this repeats until the browser times out. I don't know why this is happening.

I think at some point I was able to make the default rule fail by changing some gateway related setting, but can't recall what it was and can't find it again. (I could be wrong and it may have failed for some unrelated reason.)

I've also tried changing the Gateway setting in my own rule but it won't let me (Policy based routing is only supported on inbound rules).

Is there some special magic going on in the default rule that I'm missing?

2
20.7 Legacy Series / Multicast being logged and denied on disabled interface – why?
« on: November 21, 2020, 08:56:26 pm »
Ok, I'm new with this, might be a simple question (I hope!) but I can't figure this out.

I have the following interfaces:

LAN1 (igb1)
VLAN10 (igb1_vlan10), with parent LAN1
LAN (bridge0), with member interface LAN1, not enabled

The bridge is going to include LAN0 (igb0) later. VLAN10 was originally created on the bridge, but I moved (re-parented) it to igb1 directly while solving some other problem, and also unchecked "Enable Interface" on the bridge to take it out of the equation completely.

This is mostly working fine (I have seen some weirdness which I may come back to later), but the disabled LAN bridge is showing traffic in the firewall live view:

⊘VLAN10➔Nov 21 20:38:06[fe80::18ad:c22e:c697:a75e]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:06[fe80::18ad:c22e:c697:a75e]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:06192.168.0.105:5353224.0.0.251:5353udpDefault deny rule
⊘VLAN10➔Nov 21 20:38:04[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:04[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘VLAN10➔Nov 21 20:38:01[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:01[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘VLAN10➔Nov 21 20:38:00[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:00[fe80::25:7c21:b051:7bd7]:5353[ff02::fb]:5353udpDefault deny rule
⊘LAN➔Nov 21 20:38:00192.168.0.106:5353224.0.0.251:5353udpDefault deny rule
⊘LAN➔Nov 21 20:37:28192.168.0.101:64657239.255.255.250:1900udpDefault deny rule
⊘VLAN10➔Nov 21 20:37:18[fe80::18ad:c22e:c697:a75e]:5353[ff02::fb]:5353udpDefault deny rule


First I thought maybe the connected switch is misbehaving and sending non-tagged frames, which might somehow end up in the wrong place, but soon realized that the same IPv6 multicast packets are also logged on VLAN10 (while IPv4 multicast only gets logged on LAN) – so they must be tagged. I still confirmed this by doing a packet capture on igb1, and couldn't see anything other than vlan10 traffic.

The difference between IPv4 and IPv6 is probably because at the moment I have "IPv6 Configuration Type: None" on VLAN10, but that's not the question I have here.

The actual question I have is: Why does tagged VLAN10 traffic go to the bridge which is not part of that VLAN, *AND* why does anything at all get sent to and logged on the LAN bridge when it's not enabled?

I could of course nuke the bridge and re-create it when I need it, and that would make the problem go away, but I'd like to understand why it's behaving the way it is.

[Edit: Figured out how to (ab)use BBCode to insert logs inline. Screenshot image still attached below, but seems it's not visible if not logged in to the forum.]

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2