Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
FW rule not working with Single host or network
« previous
next »
Print
Pages: [
1
]
Author
Topic: FW rule not working with Single host or network (Read 6743 times)
Webxorcist
Newbie
Posts: 28
Karma: 2
FW rule not working with Single host or network
«
on:
September 18, 2017, 03:02:09 pm »
Hi,
I am fairly new to OPNsense, perhaps I missed other settings.
With HAProxy I made a Frontend that listens to a certain domain. I also made a Back-end with, atm, one web server in it. The idea is to add more web servers when needed.
Then I made a firewall rule in the External_Network. The rule simply says to accept port 80 traffic from any external source going to port 80 on any internal source.
Now when I punch in the domain in my web browser it shows me the website on the internal web server.
Now I want to tighten the rule, so I change it from any external source to a internal single host or network and I enter the IP address of the web server.
Somehow, the rule doesn't work any more now.
I am not sure what extra information to include in this post. What am I missing here?
Logged
ChrisH
Jr. Member
Posts: 67
Karma: 6
Re: FW rule not working with Single host or network
«
Reply #1 on:
September 18, 2017, 03:11:14 pm »
If you use HAProxy, the connection from the external ends on the OPNsense box, not the web server. You have to allow traffic to port 80 on the IP that you configured in the HAProxy frontend.
Logged
Webxorcist
Newbie
Posts: 28
Karma: 2
Re: FW rule not working with Single host or network
«
Reply #2 on:
September 18, 2017, 03:18:22 pm »
That is what I explained. But if the destination is ANY it works and when the destination is the web server IP it stops working.
Logged
ChrisH
Jr. Member
Posts: 67
Karma: 6
Re: FW rule not working with Single host or network
«
Reply #3 on:
September 18, 2017, 03:20:36 pm »
Because the destination is not the webserver, but the OPNsense box.
Maybe this picture helps:
https://en.wikipedia.org/wiki/Reverse_proxy
Logged
Webxorcist
Newbie
Posts: 28
Karma: 2
Re: FW rule not working with Single host or network
«
Reply #4 on:
September 18, 2017, 03:30:51 pm »
Hmm Ok
In the rule I make, I am allowing traffic on port 80 on the external interface. That is the same one in the frontend.
Why is it working when the rule is allowing ANY destination on the internal network and it stops working when I change it to a single host on the destination network? Working as is, showing the webpage on the web server.
Logged
ChrisH
Jr. Member
Posts: 67
Karma: 6
Re: FW rule not working with Single host or network
«
Reply #5 on:
September 18, 2017, 03:31:29 pm »
What does the firewall log say?
Logged
Webxorcist
Newbie
Posts: 28
Karma: 2
Re: FW rule not working with Single host or network
«
Reply #6 on:
September 18, 2017, 03:50:00 pm »
Basically, when destination is ANY the dynamic logs show the source IP (OPNsense Internal address) and the web servers (also internal) address and the action was allow.
When the destination is the web hosts IP the dynamic log shows the source IP (my workstation with the browser) and the external OPNsense IP and the action was block.
Logged
ChrisH
Jr. Member
Posts: 67
Karma: 6
Re: FW rule not working with Single host or network
«
Reply #7 on:
September 18, 2017, 03:52:07 pm »
So add another rule to allow the connection it blocks now.
Logged
Webxorcist
Newbie
Posts: 28
Karma: 2
Re: FW rule not working with Single host or network
«
Reply #8 on:
September 18, 2017, 04:00:44 pm »
Ok thanks. Now it works.
I was thinking incorrectly. I thought you would open it for only a specific internal host.
So now I opened the port on the external address of the OPNsense box.
So basically it now sends port 80 traffic to all servers in the HAProxy's Backend list?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
FW rule not working with Single host or network
