Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Are OpnSense fw rules being hit and how to tell
« previous
next »
Print
Pages: [
1
]
Author
Topic: Are OpnSense fw rules being hit and how to tell (Read 2456 times)
fsebera
Newbie
Posts: 38
Karma: 2
Are OpnSense fw rules being hit and how to tell
«
on:
June 23, 2021, 07:15:47 pm »
We have a Core OpnSense firewall installed in Azure at the hub with several vNET Peering spokes – each in different subscriptions.
The Core OpnSense firewall LAN (inside) interface is the gateway for all vNet Peering spokes. Each vNet peering spoke subscription uses 0.0.0.0/0 with next hop of the Core OpnSense firewall LAN (inside) interface.
The Core OpnSense firewall has a default gateway 0.0.0.0 /0 with next hop out the LAN interface and NOT through the WAN interface.
There are firewall rules configured on this firewall and think there are NOT in use. When I capture packets on the WAN interface, it appears most of the traffic is to the WAN interface IP and not through the firewall to some destination. This is a production environment and cannot tinker around to determine what is functional and what is just mis-configuration. Is there a way to show which firewall rules are being hit (traffic is allowed or denied) and which are not?
Thank you
Frank
Logged
franco
Administrator
Hero Member
Posts: 17628
Karma: 1607
Re: Are OpnSense fw rules being hit and how to tell
«
Reply #1 on:
June 23, 2021, 07:43:43 pm »
Hi Frank,
You can use the "Inspect" button in the upper right rules page corner to see the statistics of each rule.
Cheers,
Franco
Logged
fsebera
Newbie
Posts: 38
Karma: 2
Re: Are OpnSense fw rules being hit and how to tell
«
Reply #2 on:
June 23, 2021, 08:53:50 pm »
Ahh THANK YOU
The WAN (outside) interface, last last rule in the list is a deny rule and has hits, all other rules above are 0 (no hits).
The firewall rules on the LAN interface have many thousands of hits. Is it possible that packets hitting the LAN (inside) interface are being processed by the LAN interface firewall rules even through the packets are hair-pinning back out the same LAN interface?
Thanks
Frank
Logged
fsebera
Newbie
Posts: 38
Karma: 2
Re: Are OpnSense fw rules being hit and how to tell
«
Reply #3 on:
June 24, 2021, 01:57:58 pm »
Ok so I think I have this worked out:
CORRECTIONS PLEASE
Sequence of events:
A host sends a packet to its gateway. The host gateway is the IP address of the fw LAN interface. The fw runs the packet through the configured INBOUND rules looking for a match (allow or deny). -in this case a fw rule allows this packet. The fw then performs a route lookup to determine the destination of this packet. The fw looks in its routing table to determine if a route to the destination (specific route or default -0.0.0.0/0) is configured and available. If a route to this packets destination is available, the fw forwards the packet out the interface associated with the routes next-hop. In this case, the destination is out the fw LAN interface. The fw then runs this packet through the LAN interface OUTBOUND configured rules. If a fw rule allows the packet, the packet is forwarded out the LAN interface and onto the the next hop.
This is normally called hairpinning - in and out the same interface.
Hope this helps someone as I had fun figuring it out.
Frank
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Are OpnSense fw rules being hit and how to tell
