Author Topic: OPNSense WAN Shows All Ports Open (Read 2250 times)

Freebee5687 · « **on:** November 02, 2023, 07:36:50 pm »

Hi again!

Working on moving my backup pfSense x86 box to OPNSense.

I worked on configuring the OPNSense box; WAN is on igc0 and my three internal VLANs are attached to igc1.

I configured my NAT Port Forwards to match my current pfSense Port Forwards and configured my rules to be the same as my pfSense box.

I even added an extra BLOCK ALL INBOUND rule at the end to be safe.

I toggled Relfection for port forwards to be checked as it was required on the pfSense box when I set it up 4 years ago.

Power it up next to my pfSense box and then moved the network connections to OPNsense and tested it.

The WAN was properly registered with my external IP and I had internet access from my LAN VLAN.

Tested via Steve Gibson's ShieldsUp! site (https://www.grc.com/shieldsup) . All 1024 Service ports were listed as open. Needless to say the box was removed from the network.

I can confirm DISABLE FIREWALL is unchecked. :-)

I thought I understood this ... :-(

What did I miss / do wrong?

Appreciate the help!

Scott

Can provide screenshots of the Interfaces or Firewall Advance Settings pages if necessary separately

meyergru · « **Reply #1 on:** November 02, 2023, 10:16:58 pm »

I severly doubt that all ports were open. Even if your firewall lets them through, somebody would have to listen and answer on all ports which is highly unlikely.

I just tested my own firewall, first with common ports (showing the ones I expected as open) and then the first 1056 ports. To my surprise, all of them were closed (i.e. the showed up as green, not meaning that they are open, but green meaning OK = closed). This was because crowdsec noticed the port scan and banned the source IP for 4 hours.

Patrick M. Hausen · « **Reply #2 on:** November 02, 2023, 10:22:14 pm »

What does a report of "open" by a port scanner even mean? Frequently it means the tool did not receive an ICMP "port unreachable" message. Which firewalls routinely suppress on the "outside".

Freebee5687 · « **Reply #3 on:** November 02, 2023, 10:26:54 pm »

My pfSense box reports all ports as stealth (did not provide a response) with the same test. I was expecting the same behavior from this box. It’s at least enough of a warning to give me pause.

It is “open” red, “closed” blue and “stealth” no response in green

Patrick M. Hausen · « **Reply #4 on:** November 02, 2023, 10:32:48 pm »

So what exactly does "open" mean according to the (supposedly existing) documentation of the scanner you are using?

Freebee5687 · « **Reply #5 on:** November 03, 2023, 12:00:16 am »

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.”

The way I read it, green / stealth means the firewall never responds (blocked based on what I understand). Blue means it responds that it’s closed (reject?) and red means it responds as open (pass).

My interpretation may be all wrong of course.

Appreciate the insight!

meyergru · « **Reply #6 on:** November 03, 2023, 12:48:00 am »

I still cannot imagine how every single port can appear to be open. If I were you, I would test some ports that you forwarded and some that you did not from the outside myself, preferably ones you know are open on your OpnSense. If you lack that possibility, try different services like this.

You are not on a connection with CG/NAT by any chance? I.e.: Did you verify that your port forwarding worked?

Freebee5687 · « **Reply #7 on:** November 03, 2023, 01:34:54 am »

I can certainly try this. My fundamental question / concern is … with pfSense all ports report Stealth and OPNsense reports them all open. Both boxes running. Test pfSense .. Stealth .. move cables … all ports open … move cables back … Stealth.

Was obviously afraid to hang a firewall that was reporting open on the web for too long.

I honestly don’t know if I am behind CG-NAT.

Maybe I need to wipe it, connect, check the status and then start building it back up piece by piece. :-)

Scott

Freebee5687 · « **Reply #8 on:** November 03, 2023, 03:56:50 am »

@meyergru I scanned my pfSense box via the network vulnerability scanner (light) and it says my host is down (which would seem to agree with the ShieldsUp! Stealth assessment). It decidedly is not. Will need to find a time to cut the OPNsense box in when the wife isn’t surfing the web. :-)

I do not have anything like Crowdsec on my pfSense box.

Author Topic: OPNSense WAN Shows All Ports Open (Read 2250 times)

Freebee5687

OPNSense WAN Shows All Ports Open

meyergru

Re: OPNSense WAN Shows All Ports Open

Patrick M. Hausen

Re: OPNSense WAN Shows All Ports Open

Freebee5687

Re: OPNSense WAN Shows All Ports Open

Patrick M. Hausen

Re: OPNSense WAN Shows All Ports Open

Freebee5687

Re: OPNSense WAN Shows All Ports Open

meyergru

Re: OPNSense WAN Shows All Ports Open

Freebee5687

Re: OPNSense WAN Shows All Ports Open

Freebee5687

Re: OPNSense WAN Shows All Ports Open