Messages

361

General Discussion / Re: Help understanding source address on NAT/Firewall

« on: January 31, 2020, 05:25:05 pm »

If you want see the traffic from the local IP you need to capture on LAN interface.

Thank you, how can I do this and add relevant rules?

362

General Discussion / Help understanding source address on NAT/Firewall

« on: January 31, 2020, 04:06:04 pm »

Hi there,

I have downloaded a fresh install of OPNSense on a VM with virtual adapters, and only setup pppoe on the WAN interface and configured the LAN interface IP. No other changes have been made so it is very default (besides setting a password etc for login).

I would like to be able to block certain ports for certain LAN clients. EG: Block port 443 for all LAN clients except a few to a certain IP.

Before doing this I check live logging to see if I can find the internal IP's of clients I am testing with in the logs accessing 443. However all clients in the firewall log show as the WAN address when captured. EG:


Interface       Time    Source    Destination    Proto    Label    
   wan      Jan 31 14:59:36   142.113.216.163:58231   67.212.168.66:443   tcp   let out anything from firewall host itself (force gw)   

So source address is always 142.113.216.163 (my WAN IP) and destination and port is listed as correct (67.212.168.66:443).

This is unexpected. My expectation was something like source = 192.168.2.113:58231 (an internal IP). This would allow me to create a rule in the LAN side of the firewall restricting port 443 from a range of internal IP's to this destination. In this setup however, I can only blanket ban everything to that destination.

I have tested this with a LAN rule (does nothing) and then a WAN block rule that blocks successfully everything to a destination, or everything on a certain port I specify, but this limits me opening it up to certain internal LAN clients.

Is this behaviour expected, and if so what can I do to work around this behaviour?

P

363

General Discussion / Re: Port 80, 443 forwarding issue

« on: January 21, 2020, 04:30:13 am »

Did you already check the machine you are forwarding ports to does not have a local firewall (eg windows would have a windows firewall) that needs them opened on?

364

Hardware and Performance / Re: OPNsense 4x slower than PFSense on same hardware

« on: January 19, 2020, 11:07:55 pm »

Interesting. Good find man

365

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 19, 2020, 05:46:36 am »

I setup a test as per the OP who started the post with a problem. If you are talking about something other than the OP’s original setup then I wouldnt be able to follow that unless you post how you want me to perform the test to generate the issue as per how you have it setup. If you want me to change some settings I would be happy to do so and test again with different settings, it is no problem at all.

-P

366

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 19, 2020, 04:33:00 am »

I just double checked what he said and verified my setup is similar to what was said here:


“installed Opnsene as VM on VirtualBox with 2 NICs (Bridged As WAN, Internal Network As LAN). (attachment: firewall-nics)
LAN (em1) -> v4:192.168.1.1/24
WAN (em0) -> v4/DHCP4: 192.168.3.200/24”

2 nics on host machine - check
Each nic seperately bridged - one nic bridged for lan and other nic bridged for wan to VM guest - check.
Screenshot of guest console is the same - check

He is trying to access firewall from machine hosting VM and had a problem. I test this and do not have the same problem.

“ I am trying to access OPnsene from my computer hosting VM ”

My setup is the same yet issue is not present.

P

367

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 19, 2020, 04:12:35 am »

Actually I set it up as per the screenshot in the OP, so it emulates the OPs description.

368

Hardware and Performance / Re: OPNsense 4x slower than PFSense on same hardware

« on: January 18, 2020, 11:33:52 pm »

Im using unraid and not having an issue. As a test can you give the opnsense vm 2 cpus rather than one to check of its a cpu bottleneck? Otherwise might be not liking the nic drivers. Some people have tried e1000 to fox similar issues on pfsense so not sure if its a similar thing here.

369

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 18, 2020, 10:31:21 pm »

I have just tested this and could not reproduce the issue. I used virtualbox which was what the OP used. I added 2 bridged adapters and made LAN an address on the 193.168.3.x range. I made WAN an address on the 192.168.2.x range. I installed leaving as much default as possible (disable reply to is not checked globally nor in the firewall rule).
I enabled 2 rules on the WAN. ICMP from any to any so I could ping it and check it was up, and a port 80 rule as it was configured for http.

I made sure I could access the web gui on both the lan and the wan ranges from my host machine running the virtualbox vm. I then reconfigured my host machines network ip to only have an IP on the WAN range. I could still access the web gui.

As everything was still working I then added a rule for https and changed the web gui to run over https. Again, everything worked.

As I was unable to recreate the issue, I am thinking something else must be different. Is there anything I might have overlooked? Its mostly an out the box install as I just installed it and didnt change much so not sure where to go from here to get it to be like what happened to you?

P

Edit: forgot to mention I obviously deselected block bogon and private networks on the WAN as my ip ranges I am testing with are private ranges.

370

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 18, 2020, 09:00:45 pm »

Ok will test again on Monday with the interface removed and see that happens

371

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 18, 2020, 08:11:59 pm »

Apologies. As a test did you actually remove the LAN interface so it only had one interface when testing this issue?

372

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 18, 2020, 05:15:19 pm »

No double NAT, client machine and WAN Interface IP are in the same /24 network

How does your OPNsense vm get internet access then if there is no upstream router with a public ip address and (presumably) providing NAT for clients behind it? 192.168.3.x is not a publicly accessible network.

373

General Discussion / Re: OpnSense as VM WAN issue | Please help

« on: January 18, 2020, 04:10:10 pm »

It looks like you are performing double nat on the network in question, so I am thinking what has happened is the request is entering a different interface than it exits when it is fulfilled. This would likely happen with any services sharing the same address range as the wan link, excluding the gateway device set in opnsense. Disabling the global rule would then in effect only be more insecure than a per rule basis that you opted to perform if any of the devices on the WAN range became untrusted or compromised. Since you (probably) have an additional firewall performing nat as the gateway for these devices it is unlikely to be a concern. I would only imagine this global setting to be an issue if you need to communicate with all of the devices on the WAN range regularly with the OPNsense vm which I imagine would not be common. An alternative to not having to set any special rules at all would be to add a second IP address in the lan range to the host running the VM and accessing the webgui over the LAN interface. I have a similar setup at home with double NAT.

P