Firewall rules not taking effect

Started by guest26374, November 09, 2020, 11:22:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2020, 11:22:23 PM
I'm new to OPNsense and recently switched over from pfsense. I'm running verison 20.7.4-amd64 in a VM on VMware Workstation. I have multiple interfaces, WAN, LAB, DMZ. I have two issues that are somewhat related:

1) I am trying to allow specific hosts to communicate between LAB and DMZ - 10.0.2.5 and 192.168.9.2. When I create a rule it doesn't seem to take effect. Viewing the log file shows that the deny rule is blocking the traffic even though I have an allow rule above it that should allow the traffic.  Windows firewall has been disabled for testing on both boxes.

2) Reset states seems to allow the rules to take effect and I can do this once after reboot successfully. Any time I try after that I get the error:  "Problem loading page: Secure Connection Failed"

Hoping someone can point me in the right direction.

DMZ: 192.168.9.0/24

Firewall: Rules: DMZ
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
IPv4 *    10.0.2.5    *    192.168.9.2    *    *    *       
IPv4+6 *    *    *    *    *    *    *    Deny All Rule    


LAB: 10.0.2.0/24

Firewall: Rules: LAB
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
IPv4 *    192.168.9.2    *    10.0.2.5    *    *    *    Allow Traffic from DMZ server to internal server    
IPv4+6 *    *    *    *    *    *    *    Deny All Rule    
            



November 10, 2020, 08:33:18 AM #1 Last Edit: November 10, 2020, 08:39:52 AM by Gauss23
Ok, first of all it's hard to understand what your problem is and how your network looks like. You said you're coming from pfSense so the firewall logic behind the rules should be clear.

To allow traffic from LAB to DMZ you just need one rule: on the LAB interface allowing traffic to the DMZ (or if there is an allow any rule, this would cover this, too).

For the returning traffic you don't need a rule, it's a stateful firewall, so OPNsense is automatically allowing that traffic.

What is this screenshot with the IP 172.16.103? What host is this? Is there some kind of redirect in effect on the destination host? Or do you have any other redirection rules set?

And I'm wondering about the log entries in the live log. Why is there traffic coming in from the DMZ to your LAB? Those should be covered by the request-packet from the LAB host.

Maybe you can create a small graphical network plan for us to understand what your setup looks like. Are all hosts using the OPNsense as a default GW?

Update:
I just see that you have the rules the wrong way:
LAB: 10.0.2.0/24

Firewall: Rules: LAB
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description   
IPv4 *    10.0.2.5    *    192.168.9.2    *    *    *    Allow Traffic from internal LAB server to DMZ server   

DMZ: 192.168.9.0/24

Firewall: Rules: DMZ
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description   
IPv4 *    192.168.9.2    *    10.0.2.5    *    *    *       Allow Traffic from DMZ server to internal LAB server

But you only need the DMZ->LAB rule if the DMZ host should be able to start request towards the LAB host.

Rules apply almost every time to the interface where the packets are coming in from. And on the LAB interface source can only be the LAB network and on the DMZ interface source is the DMZ network.
,,The S in IoT stands for Security!" :)
November 10, 2020, 11:03:16 PM #2
Apologies for not including a diagram - see attached.

I do understand how stateful firewalls work, what you saw was the result of my troubleshooting (grasping at straws). I've have now removed all rules from the LAB and DMZ interface.

For simplicity I now have a single inbound rule on the DMZ interface that is allow any/any. This should allow me to ping from 10.0.2.5 (LAB) --> 192.168.9.2 (DMZ) -- unless I am missing something?

In the logs it's still showing that icmp is being blocked by the default deny rule.

Code Select
__timestamp__ Nov 10 17:00:41
action [block]
anchorname
dir [in]
dst 192.168.9.2
ecn
id 16391
interface em2
interface_name LAB
ipflags none
label Default deny rule
length 60
offset 0
proto 1
protoname icmp
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
ridentifier 0
rulenr 14
src 10.0.2.5
subrulenr
tos 0x0
ttl 128
version 4
November 10, 2020, 11:36:46 PM #3
You still think from the wrong side.
If you want a packet travel from LAB to DMZ you need a rule in the LAB interface.
Read the end of my last post (after Update)
,,The S in IoT stands for Security!" :)
November 11, 2020, 12:34:54 AM #4
It's working now and you're right, I was thinking about it the wrong way. Thanks for your help!
Print
Go Up Pages1
User actions