Show Posts
1
23.7 Legacy Series / [solved] Access Firewall from WAN-Side blocked (complex setup)
« on: February 14, 2024, 11:23:02 am »
Hi,
I try to get Access to the OPNSense-GUI on the WAN-Interface. But the access is blocked. At the moment i'm accessing the OPNSense-GUI via Wireguard - Connection. I need the the access via WAN-Interface temporarily because of changes I want to accomplish next time.
OPNSense-Version: 23.7.12_5-amd64
OPNSense GUI HTTP-Port: 444
I have the following setup:
The Traffic is redirected to the OPNSense via NAT at the proxmox-ve-host (except Packages with DST Ports 8006 (=Proxmox-VE Management Web-GUI), 22 (SSH to Proxmox)
When I try to acces the OPNSense-GUI I have the following log entries within the plain filter log:
I understand that the rule number 15 blocked access the access. When I'm looking at the packet filter rule list to examine rule #15:
This seems to be the default drop rule at the end.
I have further inserted and applied two other rules via OPNSense GUI at the Firewall / Rules / WAN Page:
Screenshot of those two rules:
When I examine the rule list on the OPNSense via pfctl, there's no rule shown with a port 444:
I checked the logs (system -> general log) after applying the rules. There are no error messages.
Are the two rules really missing?
Why are my rules missing?
What maybe the problem here?
I try to get Access to the OPNSense-GUI on the WAN-Interface. But the access is blocked. At the moment i'm accessing the OPNSense-GUI via Wireguard - Connection. I need the the access via WAN-Interface temporarily because of changes I want to accomplish next time.
OPNSense-Version: 23.7.12_5-amd64
OPNSense GUI HTTP-Port: 444
I have the following setup:
Code: [Select]
(Internet)
|
|
[proxmox-ve-host] (public ip)
|
|
[opnsense-virtualmachine] (WAN-IP: 10.10.0.1)
The Traffic is redirected to the OPNSense via NAT at the proxmox-ve-host (except Packages with DST Ports 8006 (=Proxmox-VE Management Web-GUI), 22 (SSH to Proxmox)
Code: [Select]
proxmox # iptables -t nat -L -v n
...
Chain PREROUTING (policy ACCEPT 17955 packets, 1182K bytes)
pkts bytes target prot opt in out source destination
6931 309K DNAT 6 -- enp0s31f6 * 0.0.0.0/0 0.0.0.0/0 multiport dports !22,8006 to:10.10.0.1
...
Chain POSTROUTING (policy ACCEPT 50314 packets, 3312K bytes)
pkts bytes target prot opt in out source destination
4896 369K MASQUERADE 0 -- * enp0s31f6 10.10.0.0/31 0.0.0.0/0
When I try to acces the OPNSense-GUI I have the following log entries within the plain filter log:
Code: [Select]
15,,,02f4bab031b57d1e30553ce08e0ec131,vtnet0,match,block,in,4,0x0,,53,5567,0,DF,6,tcp,60,151.189.142.234,10.10.0.1,54880,444,0,S,861491563,,64240,,mss;sackOK;TS;nop;wscale
I understand that the rule number 15 blocked access the access. When I'm looking at the packet filter rule list to examine rule #15:
Code: [Select]
pfctl -vvsr | grep '@15' -A1
@15 block drop in log inet all label "abcedf21424..."
[ Evaluations: 85 Packets 91 Bytes 4312 ]
This seems to be the default drop rule at the end.
I have further inserted and applied two other rules via OPNSense GUI at the Firewall / Rules / WAN Page:
- IPv4 / TCP / DST Port 444 allow dst: all (quick match enabled)
- IPv4 / TCP / DST Port 444 allow dst wan-address (quick match enabled)
Screenshot of those two rules:
When I examine the rule list on the OPNSense via pfctl, there's no rule shown with a port 444:
Code: [Select]
# pfctl -vvsr >myrules
# grep 444 myrules
(no output)
I checked the logs (system -> general log) after applying the rules. There are no error messages.
Are the two rules really missing?
Why are my rules missing?
What maybe the problem here?