OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • "default deny rule", the nightmare.
« previous next »
  • Print
Pages: 1 [2]

Author Topic: "default deny rule", the nightmare.  (Read 9643 times)

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17660
  • Karma: 1611
    • View Profile
Re: "default deny rule", the nightmare.
« Reply #15 on: February 20, 2022, 05:31:29 pm »
That change should make no difference here. It relates to traffic inbound to loopback address.


Cheers,
Franco
Logged

Anyel

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: "default deny rule", the nightmare.
« Reply #16 on: March 04, 2022, 11:08:43 pm »
After upgrading to 22.1.2_1. same problem.
Logged

Vilhonator

  • Full Member
  • ***
  • Posts: 245
  • Karma: 13
    • View Profile
Re: "default deny rule", the nightmare.
« Reply #17 on: March 05, 2022, 08:46:59 am »
Check the order of your firewall rules on each network. By default, rules are followed from top to bottom, so if you have blocked some network gaining access to any hosts on network where your alias hosts lie, you have to move rule allowing the access above the block rule.

If you are trying to get HTTPS work, then go to Firewall ---> NAT, create new rule, interface is the interface of a network to which alias host belongs to, direction is out, source is "XXX net" destination is alias destination port is http, redirect to is your alias and redirect port is https, also set "NAT reflection" to enable, then apply and save changes.

After that you go to Rules ---> select your network where your alias is and make sure the port forwarding rule is there and move it above to any rules that might block the connection

Only point where you need to use firewall rules to allow connections between internal networks, is when network in question don't have "allow all" default rules and / or block rules between eachother.

Oh, and obviously make sure server you are trying to connect to is listening HTTPS port and also it's firewall isn't blocking https <---- has been reason why my servers haven't worked as they should quite a few times ^^
« Last Edit: March 05, 2022, 08:51:17 am by Vilhonator »
Logged

Anyel

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: "default deny rule", the nightmare.
« Reply #18 on: March 05, 2022, 09:25:33 pm »
@Fright - Network is very simple.

It is a cloud/kvm environment. There is a mandatory gateway (layer 3), 10.0.0.1, with a NAT for 10.0.0.2 (OPNSENSE). In the environment, there is a route for all destinations to go through 10.0.0.2 (0.0.0.0/0 via 10.0.0.2). DHCP is done by 10.0.0.1 and it is not possible to change that, to get to 10.0.0.2 it is necessary to go through 10.0.0.1, also not possible to change. Everything worked fine for a long time.


Got it, @Vilhonator, and there's already been tested evertything in NAT. It doesn't change anything at all, I spent a couple of hours testing again it now, nothing. What really makes it work is change state tracking to none. Nothing else worked.
Logged
  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • "default deny rule", the nightmare.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2