76
19.7 Legacy Series / Re: (Solved) Can't see vlan traffic?
« on: November 26, 2019, 12:29:49 am »
Stupid error on my part in regards to the switch. Working as intended now.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
77
19.7 Legacy Series / Re: Can't see vlan traffic?
« on: November 25, 2019, 02:04:39 pm »
So I checked all of my rules on the firewall and I had a rule that I made for this new vlan that didn't have logging enabled...but...
The rule is for the "Inside" interface on the firewall. This is a /30 between the firewall and the core cisco switch where all of the other subnets are routed via ospf.
So now I can see the traffic for the new Vlan, but I still don't see anything hitting the new Vlan interface. There are no rules on the Vlan interface, so all the traffic hitting it should be rejected/blocked, but I'm just not seeing anything hit it.
The rule is for the "Inside" interface on the firewall. This is a /30 between the firewall and the core cisco switch where all of the other subnets are routed via ospf.
So now I can see the traffic for the new Vlan, but I still don't see anything hitting the new Vlan interface. There are no rules on the Vlan interface, so all the traffic hitting it should be rejected/blocked, but I'm just not seeing anything hit it.
78
19.7 Legacy Series / (Solved) Can't see vlan traffic?
« on: November 25, 2019, 04:34:52 am »
I setup a vlan interface (vlan 30) on the firewall. I have a core cisco switch and an "access" cisco switch connected to the firewall. I made vlan 30 on the core switch, trunked to the interface on the firewall...that seems to be working fine. I made another trunk to my VM host, spun up a VM and put it on vlan 30 with a static IP in that subnet. I can ping out to the internet...everything seems fine...but when I check the firewall logs I can't see anything for vlan 30.
If I ping out to the internet, nothing in the logs.
Ping to a different internal subnet, nothing in the logs.
I find this very odd. I would think I would see something in the logs for the traffic hitting the new Vlan interface but I'm not...even though every seems to be working fine.
Any thoughts or advice is appreciated.
If I ping out to the internet, nothing in the logs.
Ping to a different internal subnet, nothing in the logs.
I find this very odd. I would think I would see something in the logs for the traffic hitting the new Vlan interface but I'm not...even though every seems to be working fine.
Any thoughts or advice is appreciated.
79
19.7 Legacy Series / Trying to tighten up some rules
« on: November 08, 2019, 03:36:08 am »
So I have several subnets inside my LAN and right now, to get out to the interent, there are rules for each of the subnets on the LAN interface of the firewall that basically say - allow ipv4 out to anything.
I decided I wanted to try to tighten these up a bit, so I was trying to change the destination to my WAN interface (which I've named INET) and every time I try to do that, nothing on the subnet can get outside the LAN network. I've tried making the rule go in and out on the WAN interface, I've tried in and out on the LAN interface...I've tried a bunch of things, but it seems like regardless of what I do, nothing on my server subnet can get out to the internet. Here's some screenshots of what I tried last that isn't working.
I'm testing this by trying to ping continuously to 8.8.8.8 from one of the servers, and I can see it hitting the default deny rule, I'm just not sure why.
Thanks in advance for any advice
I decided I wanted to try to tighten these up a bit, so I was trying to change the destination to my WAN interface (which I've named INET) and every time I try to do that, nothing on the subnet can get outside the LAN network. I've tried making the rule go in and out on the WAN interface, I've tried in and out on the LAN interface...I've tried a bunch of things, but it seems like regardless of what I do, nothing on my server subnet can get out to the internet. Here's some screenshots of what I tried last that isn't working.
I'm testing this by trying to ping continuously to 8.8.8.8 from one of the servers, and I can see it hitting the default deny rule, I'm just not sure why.
Thanks in advance for any advice
80
19.7 Legacy Series / Re: SSH for non root account?
« on: October 20, 2019, 07:08:35 pm »
Thanks for the reply. I figured it out. The login shell fgor the account was set to /nologin
81
19.7 Legacy Series / SSH for non root account?
« on: October 20, 2019, 06:34:54 am »
I made an admin account for myself, but I can't use SSH to the firewall with it. I read this in another post somewhere:
When I go to "Effective Privileges" I don't seem to have that option. Anyone know what's up? I tried filtering the privileges by "ssh" "user" etc. and I manually checked them but I'm missing something I guess.
Quote
Go to the user's properties page, under "Effective Privileges" click "+", select "Users - System - Shell account access" and apply. That should do it.
When I go to "Effective Privileges" I don't seem to have that option. Anyone know what's up? I tried filtering the privileges by "ssh" "user" etc. and I manually checked them but I'm missing something I guess.
82
19.7 Legacy Series / Re: Using Opnsense as DHCP server
« on: October 20, 2019, 06:34:09 am »
I found some convoluted way to do it in an article and decided it wasn't worth the time. Spun up a windows DHCP server instead. Thanks for the response.
83
19.7 Legacy Series / Using Opnsense as DHCP server
« on: October 19, 2019, 01:37:23 am »
So I would like to use the firewall as a DHCP and DNS server, but I figured I would do DHCP first. The topology looks like this
Opnsense Firewall
|
Core Cisco Switch
|
Cisco Access Switch
/ \
Everything else
So on the core switch, I made a test Vlan, with a SVI. IP address 10.5.9.1 255.255.255.0
The firewall connects to the core switch with a /30 - 10.5.97.0 255.255.255.252
I set the helper address on the SVI to be the IP of the LAN interface on the firewall, but I guess Opnsense doesn't like this because when I try to configure an "additional pool" on the LAN interface under DHCPv4, it says the network is outside the range of the interface.
So I guess my question is, is this not a thing? Do I need to do something weird with the Vlans or have the Vlans hosted on the firewall? I tried adding a new gateway to the LAN interface on the firewall within the test Vlan range but it didn't make a difference. I had assumed I could have Opnsense hand out IP's for whatever range I wanted over a single interface but it looks like I can't?
Thanks in advance
Opnsense Firewall
|
Core Cisco Switch
|
Cisco Access Switch
/ \
Everything else
So on the core switch, I made a test Vlan, with a SVI. IP address 10.5.9.1 255.255.255.0
The firewall connects to the core switch with a /30 - 10.5.97.0 255.255.255.252
I set the helper address on the SVI to be the IP of the LAN interface on the firewall, but I guess Opnsense doesn't like this because when I try to configure an "additional pool" on the LAN interface under DHCPv4, it says the network is outside the range of the interface.
So I guess my question is, is this not a thing? Do I need to do something weird with the Vlans or have the Vlans hosted on the firewall? I tried adding a new gateway to the LAN interface on the firewall within the test Vlan range but it didn't make a difference. I had assumed I could have Opnsense hand out IP's for whatever range I wanted over a single interface but it looks like I can't?
Thanks in advance
84
19.7 Legacy Series / Re: (Solved...kinda) Odd port forward behavior?
« on: October 18, 2019, 11:50:46 pm »
Solved - I was able to resolve this by adding an outbound NAT rule to my LAN interface. Still means NAT reflection isn't working properly, but I was able to work around it...
85
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 11:16:53 pm »
I suppose that makes sense. It's making me wonder how my Asus router did it though when I had that as the edge router. Maybe this is one of those things where I got something much more complex and things I used to take for granted just don't work the same.
86
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 08:35:17 pm »
Yeah I'm not using anything for internal DNS. It's just a home lab. I had planned on building a DNS server but I wanted to get the firewall and chat server all situated first. I'm considering using the firewall for internal DNS, and also for DHCP. Right now DHCP is running on my layer3 cisco core switch.
It'd be better if the NAT reflection just worked. I kind of suck with wireshark though.
It'd be better if the NAT reflection just worked. I kind of suck with wireshark though.
87
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 08:01:14 pm »
@cguilford I tried it just using the domain of the DDNS url but it didn't work. None of the LAN clients are setup to use the firewall for DNS either.
Also here's a pcap in wireshark filtered by destination port 5222 which is what the XMPP server uses.
Also here's a pcap in wireshark filtered by destination port 5222 which is what the XMPP server uses.
88
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 07:51:13 pm »
My firewall and none of the clients are in a domain...does that matter?
89
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 03:53:36 pm »
@chemlud - I just use openfire server and pidgin is the chat client. It's just to talk with some family/friends back in NY. It's pretty easy to setup initially. I haven't really messed with TLS on it though.
90
19.7 Legacy Series / Re: Odd port forward behavior?
« on: October 17, 2019, 03:52:17 pm »
@cguilford - Do you mind sharing a screen shot or maybe a quick run down of how you did that? Just so I don't make things worse haha