Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Firewall initially allows, then denies, connections between two internal subnets
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall initially allows, then denies, connections between two internal subnets (Read 1462 times)
guest25995
Guest
Firewall initially allows, then denies, connections between two internal subnets
«
on:
October 03, 2020, 03:14:38 pm »
Version:
OPNsense 20.7.3-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
OpenSSL 1.1.1g 21 Apr 2020
I have a setup that consists of two subnets (192.168.35.0/24 and 192.168.36.0/24). A single host is connected to both subnets, and serves as a gateway between them, with routing enabled. I have an opnsense router managing the 192.168.35.0/24 subnet and connected to the internet (with NAT). The intent is for the opnsense router to provide internet access to both subnets, and for all hosts of each subnet to be able to talk to all hosts of the other.
The opnsense router is replacing an old openwrt router for which the hardware will not be supported anymore. The above goals are met by the openwrt router and everything works as expected.
Some of the things I have done to set up the opnsense router:
-Created static ip entries for some hosts, including the gateway between the two subnets
-Added a gateway entry for the host that is also on the 36 subnet
-Added a NAT rule to do NAT for the 36 subnet
-Added a static route for traffic directed to the 36 subnet
-Added a couple of firewall rules to try and ensure that traffic between the 35 and 36 subnets is always passed.
The issue is that connections between the 35 and 36 subnets are initially allowed by the firewall, but then get blocked. I have been beating my head against this issue for many hours and am completely baffled. I am attaching two images; one is of the two floating rules for the firewall that I most recently tried, and the other is the resulting firewall log where my SSH connection from a host on the 35 subnet to one on the 36 subnet quit working after a minute or two. I am able to start the SSH session, but after a few commands on the remote host have been entered it just stops communicating (and the deny entries start showing up).
Logged
ZPrime
Newbie
Posts: 21
Karma: 4
Re: Firewall initially allows, then denies, connections between two internal subnets
«
Reply #1 on:
October 06, 2020, 03:00:24 am »
Could use clarification here -
is the OPNsense box the one that is in both 192.168.35.0/24 and .36.0/24?
Or is there some other system involved that's on both .35 and .36, and the OPNsense box is only on .35? If the OPNsense box is
not
in both subnets, how is the other system ("a single host") configured to be a gateway? Is it doing routing, or bridging?
And are these different subnets in two separate L2 segments (i.e. different VLANs / separate switches), or on one switch?
Logged
andreaslink
Jr. Member
Posts: 58
Karma: 4
Re: Firewall initially allows, then denies, connections between two internal subnets
«
Reply #2 on:
October 06, 2020, 01:28:29 pm »
Not sure, but I have a comparable issue but only with IPv6 as I stated very precise here:
https://forum.opnsense.org/index.php?topic=18923.0
IPv4 does not make any problems, but with a delegated IPv6 prefix I see the same strange and/or inconsistent behavior within the firewall logs.
I know, not helpful
, but I'm still trying to find some relation so I can nail the problem.
Logged
Running OPNsense on 4 core Intel Xeon E5506, 20GB RAM, 2x Broadcom NetXtreme II BCM5709, 4x Intel 82580
Ubench Single CPU: 307897 (0.39s)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Firewall initially allows, then denies, connections between two internal subnets