Very strange firewall problem on WAN interface

Started by vt220, May 15, 2020, 08:58:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 15, 2020, 08:58:15 AM
Hi guys,

I have a very strange situation, probbably with firewalling and I'm really stuck.

I wanted to setup an IPSec or Wireguard VPN.
So as usual I open the ports on the WAN Interface, for IPSec GRE, 500, 4500 an so on.
Source any to wan interface and so on.
On WAN Site I use a cable modem configured in bridge Mode, Native IPv4 ist available, OPNSene ist getting a public IPv4. Vodafone Germany as the cable provider does not do any firewalling if modem is in bridge mode (according to various sources). The modem is not in router mode or somethin like that.

What I've additionally tried:

1. Disabled Bogon and private Networks in WAN interface -> no impact
2. Created for test purpose a rule. Allow from any to any an WAN interface -> no impact
3. Watched the firewall outpu live log while trying to access from outside. No leg entry appears on the firewall, not even an entry filtered/blocke. Just nothing. When i ping the OPNSense from outside I get at least an ICMP block in the firewall log.

So if I assume the OPNsense firewall is not correctly configured I should at least get an entry in the firewall log, when trying to access ports 500 or 4500 from outside. I then scanned from outside with nmap the ports 500 and 4500. nmap reports that the ports are filtered.

So there are only two possible scenarios. Vodafone or their modem ist still filtering, so nothin reaches the OPNsense, or there's somethin wrong with OPNSense firewall.

Any ideas or hints? I had the same problem with trying to setup wireguard  :(
May 15, 2020, 09:06:39 AM #1
Vodafone (unitymedia) is notorious for carrier-grade NAT, you don't get "real" internet, but only some kind of http/https etc.

It's a pain...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
May 15, 2020, 12:38:25 PM #2
Hi,

thanks for the reply. So alltough I get an real IPv4 they are NATting?
I always thought DS-Lite (=carrier grade nat?) would give you an not routable IP4 adress? So as I have a "public" IP4 adress, there should not be a problem, or am I mistaking something?
May 15, 2020, 03:29:01 PM #3
Quote from: vt220 on May 15, 2020, 08:58:15 AM
So there are only two possible scenarios. Vodafone or their modem ist still filtering, so nothin reaches the OPNsense, or there's somethin wrong with OPNSense firewall.

Do a packet capture on the OPNsense WAN interface. If you don't see the packets there, it's not an OPNsense issue.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 15, 2020, 04:56:23 PM #4
QuoteEs gibt die euch zugewiesene IPv4 dabei quasi 50 mal. Der VPN-Server wüsste also nicht, wohin er seine Daten senden müsste,

https://community.unitymedia.de/categories/internet/article/einrichtung-eines-vpns
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions