OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • What firewall rule blocks my traffic
« previous next »
  • Print
Pages: [1]

Author Topic: What firewall rule blocks my traffic  (Read 1864 times)

zyx360

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
What firewall rule blocks my traffic
« on: June 08, 2022, 02:32:36 pm »
Hi there,

I have a strange issue to troubleshoot.
I have setup that looks like this:

Provider-Router (wan: x.x.x.x, lan: 192.168.111.1/24) -> Opnsense (wan: 192.168.111.2/24, lan: 192.168.112.0/24)

I know this setup is not ideal but it is something i have to deal with for now.
Some of my clients are connected on the provider-router's wifi and receive a dhcp ip from the 111.0/24 subnet.
I want these clients to be able to connect to the opnsense management interface on the WAN address.

To make this possible i;
- Disabled the block bogon networks setting
- Disabled the block private networks setting
- Created an allow rule on the WAN interface that allows 80/443

I am however still unable to access the management interface.

I was hoping that i was able to monitor whats beeing blocked by navigating to:
Firewall > Log files > Live view

But for whatever reason i dont see the traffic beeing blocked there.

I know for a fact that something on opnsense is blocking my traffic since a "pfctl -d" through the command line magically makes things work as expected.

Can anyone point me in the right direction how i can monitor what's actually dropping my request?

Thanks!
Z
Logged

zyx360

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: What firewall rule blocks my traffic
« Reply #1 on: June 08, 2022, 03:29:17 pm »
After some more investigation i found the firewall logs did not show entries because the traffic was actually allowed.

I've tried connecting with curl from a machine in the 111.0/24 network, this throws a cryptic error.

[root@controller ~]# curl -vvvv  https://192.168.111.2
* Rebuilt URL to: https://192.168.111.2/
*   Trying 192.168.111.2...
* TCP_NODELAY set
* Connected to 192.168.111.2 (192.168.111.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443


Logged

axsdenied

  • Full Member
  • ***
  • Posts: 199
  • Karma: 9
    • View Profile
Re: What firewall rule blocks my traffic
« Reply #2 on: June 08, 2022, 09:47:16 pm »
You mind sharing a screenshot of your WAN rule set, including the section with the description "Automatically generated rules" where you have to select to drop down the full list of rules?
Logged
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD

cookiemonster

  • Hero Member
  • *****
  • Posts: 1823
  • Karma: 95
    • View Profile
Re: What firewall rule blocks my traffic
« Reply #3 on: June 09, 2022, 12:15:22 am »
Doesn't seem to be a firewall rule as you have found. There is no server hello after client hello and I suggest to drill into "CApath: none".
Where it doesn't work from, is it over a terminal too via commands, or web browsers? Something to do with the certs seems off.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • What firewall rule blocks my traffic
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2