Messages

Hi,
2 spontane Ideen.
1. Was ist das default gateway für die LAN clients? der Router? -> Hat dieser eine direkte Route zur OPNsense für die Server IPs?
2. Sind die Ports auf der OPNsense am "WAN" für den gewünschten Traffic freigegeben?

@pmhausen: Das ist eine Datei von https://draw.io. Einem online Diagram zeichen Anwendung.
opnsenuser

Hi,
Standard bei opnsense (wie eigentlich allen Firewalls) ist jegliche Kommunikation erstmal verboten. (Von den automatischen Regen abgesehen).
-> keine explizites Erlauben = kein Traffic.
Am einfachsten für im jeweiligen Interface dediziert festlegen, welches Gerät mit welchem anderen Gerät über welchen Port kommunizieren darf.

opnsenuser

I can confirm this behavior. I'm running on a Decsio OPNsense Dual A10 QC SSD rack Gen2+.

Hi,
I think the easiest (direct) way to do this is to assign the IPs (in your case 81.145.xxx.xxx) to the one to the DMZ interface and the rest as required to the (web)servers.
This way the opnsense can route the requests to the servers, if your firewallrules allow so.
This would not require any NAT and portforwarding.

oipnsenuser

Hi,
what is your hardware platform?

greetings
opnsenuser

Hi,
maybe I can link a similar case https://forum.opnsense.org/index.php?topic=13402.msg61688#msg61688 like with similar system setup to this thread... :-[

greetings
opnsenuser

hi,
thanks for your replies.

case closed :)

greetings
opnsenuser

Hi,
since I can't access the webUIs any longer on my OPNSenses > https://forum.opnsense.org/index.php?topic=13402.0,
I'm on the lookout for a way to export my aliases.
Since these are not included in the xml backup and the webUI is not accessible the only way is to get them is thru the cli.
Where are the aliases stored?
Any ideas ??

greetings
opnsenuser

Hi,
@JhonnyMnemonic:
The webgui or any other management service should not be accessible via the wan, only via the internal management network.

opnsenuser

Hi everyone,
on my 2 opnsense boxes (both supermicro E300-8D) I can't access the webGUI from the outside world (management network)

setup for testing external access:
laptop with static address in the same subnet directly connected to the managementinterface
* access the ip with a browser (https://$ip) -> can't connect
* curl the interface ip (curl -k https://$ip) -> timeout

What I've tried:
* checked /var/log/lighttpd.log -> server started
* verify that lighttpd listens on the required interfaces -> managementip :443, loopback :443
* curl the interface address from the opnsense locally -> the loginpage shows up

the above options don't show any errors

what's weird is this:
* ping from the opnsense to the laptop (with icmp allowed) -> destination can not be reached
* forwarding works just as ever
* no incoming connections in pftop with filter to the laptops static ip

Am I missing something?

thanks for your ideas :)

opnsenuser

Hi,
then the text below the interfaces is wrong "... Everything that isn't explicitly passed is blocked by default."
That should be valid on every interface even the LAN. Only if a service on the firewalls interface is active, the required ports should be open.
Or am I wrong??

greetings
opnsenuser

Hi,

I would imagine that by default it will always allow access to its own dhcp servers on the LAN, even if you do not have it running.

Why is there a need for open port, if no service is running?
Firewallports should only be open if they are required.

Looking in the github repo for the cause... but so far no findings :(

greetings
opnsenuser

Hi everyone,
I'm running the latest release 19.1.2...
In the pfinfo, Tab: Rules I have some rules that have the following comment @ the end "allow access to DHCPv6 on LAN", but there is no DHCPv6 server active. Is this a Bug??

greetings
opnsenuser