Basic rule; help allowing blocked traffic WAN to LAN device

Started by terry356, February 08, 2025, 07:53:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2025, 07:53:49 PM
Hello, I have recently moved to Opnsene from Untangle on a Protectcli.

I have basic functions in Opnsense LAN devices get proper DHCP IP, access to the web through WAN 100% functional.  No issues there.

A company I do work for provided me a Meraki MX68 so I can reach their secure network, dont remember doing anything under Untangles configuration when i set it up years ago being setup but the Meraki has always worked behind the Untangle firewall.

I created a dhcp reservation for the Meraki, and Ive tried to create an Alias from some other examples as well, but I cant seem to figure out how to build a proper rule so the Meraki can receive whatever it needs from the WAN port unblocked.

Their IT group who provided the Meraki told me all I need is port forward for UPD 1900 to be forwarded through the firewall to the Meraki (192.168.1.175), thats in place but Seems like there is more to this.  When I look at the log live view I see a lot of Default deny/state violation rule events, I expect thats the traffic trying to come back to the Meraki to function.

Is there a safe way to allow the Meraki to have two way unblocked traffic through the WAN port?  Like a DMZ just for this internal IPd device?   Im sure there is a rule to do this correctly but Im not making any progress with what I can find online, and likely overcomplicating this.


Any recommendations to resource or some advice on what I should be looking for online as far as examples or similar configurations would be appreciated.  Any rules Ive created trying this Ive removed, I was likely headed in the wrong direction anyway.


Greatly appreciate any help.
thanks
Terry





February 08, 2025, 09:43:19 PM #1
SSDP (UDP port 1900) is bad enough.

FWIW, I didn't even know what that device was until I read your post (so take my reply with a grain of salt).

That's a VPN solution and your box should be initiating all communication (IOW, I'm not sure why SSDP is necessary. It would help if you still had your untangle config to know if you had that port forward configured).
Did you have the same subnet locally with Untangle?
How about routing information so your local devices know to go through the MX68 to access corp resources?

Do you have access to the MX68 configuration?
February 09, 2025, 12:21:34 PM #2
Yeah, this doesn't sound right at all. SSDP can be used by UPnP for automatic port-forwarding, but it wouldn't usually involve forwarding port 1900 - that doesn't make any sense at all. If this is a remote access hardware VPN client, I (too) would expect that it should just need outbound internet access.
February 09, 2025, 08:57:42 PM #3
re: upnp... I found some Cisco doc from 2020/21 that notes the Meraki MX68 did not support UPnP, so I must have set something else to enable it to work.

I did find a thread in the netgate forums that had some good information related to the Meraki behind pfsense that I have not been able to find in other parts of the web related to Opnsense, but of everything in there someone referenced resetting the state table... I did that and everything started working!  I expect all my bumbling with turning rules on/off, making changes with 1:1 Nat etc made a mess for the state table.

This is the thread for reference if someone else has one of these things in the future I wish I had found it a week ago. 
     
https://forum.netgate.com/topic/151649/pfsense-and-meraki-z3/8

Once it was working I removed all the related stuff I had added in there until I was able to break it. 

It seems I need to have 3 things set.

-The alias for the device with static dhcp assignment.
-A WAN rule for any source, any port with Meraki alias as the destination
-1:1 NAT on the WAN interface, type BINAT, external network (my ISP assigned IP), with source of single host from the LAN (meraki) 192.168.1.175, and destination any, with nat reflection enabled.

Ive removed the port forwarding that IT recommended as well, I assume my rule and 1:1 nat basically exposed the Meraki directly to the web. 

Still learning here and would like to understand this better.  Would greatly appreciate any feed back on if this is the correct way to do this?  (I have no doubt its not). I dont fully understand the 1:1 NAT, even my WAN rule seems too wide open to me.   It is working for now at least.


thanks
 




February 09, 2025, 10:17:28 PM #4
The reservation for the device is fine.

Is that WAN rule ever firing? with a destination that's a RFC1918 IP?
You can hit the inspect button on WAN to see if state exists for that rule. No state implies the rule is useless.

That 1:1 NAT seems like a workaround, and a dangerous one at that.
That (long) thread indicates that all that might be required are some outbound NAT rules (after setting up hybrid mode). That would be harmless.
February 10, 2025, 10:21:06 AM #5
It seems that static port might be the key here. Apparently the Meraki stuff cares about the source ports. Using 1:1 NAT probably (I've not confirmed) doesn't rewrite source ports, so that's explain why it's "working", but it's really not the right thing to do. It seems to me that one outbound NAT rule, with source as the Meraki's LAN IP address, destination "any", and "Static Port" checked, might be sufficient...
February 10, 2025, 08:33:45 PM #6
Agreed. A bit more research yesterday indicated that 500 (IKE/ISAKMP) and 4500 (IPSEC-NT NAT traversal) were important.
There's a default NAT outbound rule for 500. Adding a similar one for 4500 should be pretty easy.

If that's not sufficient (alternate ports configured?), the thread suggested to look at states/sessions associated with the Meraki IP and using the ports located that way instead. I kind read between the lines but that seems reasonable.
Print
Go Up Pages1
User actions