Inbound permit on WAN not working when on same network

Started by Patrick M. Hausen, October 19, 2023, 07:58:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 19, 2023, 07:58:33 PM
Hi all,

now I've been hacking OPNsense for quite a while and I thought I understood the product quite well, but I must be missing something.

WAN
From: any
To: WAN addess
Destination Port: 22

Does not work if the PC I use to access the firewall is connected to the WAN network - a regular /24, firewall getting its address and other configuration via DHCP. Access from *remote* outside the WAN network works!

What's going on?

Thanks,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 19, 2023, 08:05:09 PM #1
Set reply-to to disable. Popular trap for young (and veteran) players. ;)

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 19, 2023, 08:17:24 PM #2
That alone still does not help.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 19, 2023, 08:26:42 PM #3
I feel a bit silly asking you the obvious questions... ;)
Is the WAN network RFC1918? If yes, "Block private networks" is disabled?

Where does it fail? Inbound packets get blocked?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 19, 2023, 08:29:17 PM #4
Interfaces - WAN - uncheck Block Private Networks ?
October 19, 2023, 08:46:24 PM #5
Quote from: newsense on October 19, 2023, 08:29:17 PM
Interfaces - WAN - uncheck Block Private Networks ?
Possibly I'm an idiot - will check after my current bhyve users video call.  ;) Thanks!
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 19, 2023, 09:09:41 PM #6
Still no banana ...

I disabled reply-to and "force local services to use the assigned gateway" in Firewall > Settings > Advanced and "block private addresses" on the WAN interface. I also disabled the default anti lock-out rule, because I prefer explicit rules. That should still work, right?

My firewall is 192.168.1.15 on WAN and my Mac 192.168.1.162 - after `pfctl -d` on the console I can connect and tweak things, as soon as I apply firewall rule changes or manually `pfctl -e` I am locked out again.

Here's the current rules - WAN is ix1:
Code Select
$ cat rules.txt
scrub on ix0 all fragment reassemble
scrub on ix1 all fragment reassemble
block drop in log on ! ix0 inet from 192.168.6.0/24 to any
block drop in log inet from 192.168.6.1 to any
block drop in log on ! ix1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.15 to any
block drop in log on ix1 inet6 from fe80::3eec:efff:fe00:5433 to any
block drop in log inet all label "ecd3a310894625657c6591b80daa956a"
block drop in log inet6 all label "ecd3a310894625657c6591b80daa956a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "d48c044e752b748fd490586fd860174a"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "83803d04942547f2580789b2717ffd94"
block drop in log quick inet proto tcp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet proto udp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet6 proto tcp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet6 proto udp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet proto tcp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet proto udp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet6 proto tcp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet6 proto udp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
pass log quick inet6 proto carp from any to ff02::12 keep state label "e87d088409bb245daacc65e79879e444"
pass log quick inet proto carp from any to 224.0.0.18 keep state label "6f961877d17b693d638b0bcac18e888c"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "7f677186b656aba15284e68ad3b299b5"
block drop in log quick proto tcp from <sshlockout> to (self) port = https label "f93d000e206ee62182eadb30608a0242"
block drop in log quick from <virusprot> to any label "8633cbd455dae5aa32e1dd4fbdf7521e"
pass in log quick on ix0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "d05a2aec01ebd7397c01031b625c2110"
pass in log quick on ix0 proto udp from any port = bootpc to (self) port = bootps keep state label "46061a043e5d9a3ea45c88e3a2ab898e"
pass out log quick on ix0 proto udp from (self) port = bootps to any port = bootpc keep state label "4ed554accad6221130c3cea68ebcb84e"
block drop in log quick on ix1 inet from <bogons> to any label "9feb1ff22602ce7fa249ca38a748a8d6"
block drop in log quick on ix1 inet6 from <bogonsv6> to any label "730b04035be750d29de5c32523480cf5"
pass in quick on lo0 all no state label "edf9ee5a7850bb473d6524034fd3a946"
pass out log all flags S/SA keep state allow-opts label "1232f88e5fac29a32501e3f051020cac"
pass in quick inet proto icmp all icmp-type echoreq keep state label "378df093835c57bf0aee5667d5b015cb"
pass in quick inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "fa97fa36c035bc80096f8bdbd0c76174"
pass in quick on ix1 inet proto tcp from any to (ix1) port = ssh flags S/SA keep state label "267b27f26828b478f2347df6c585e3e7"
pass in quick on ix1 inet proto tcp from any to (ix1) port = https flags S/SA keep state label "267b27f26828b478f2347df6c585e3e7"
pass in quick on ix0 inet all flags S/SA keep state label "18e7a1e302646cc2b1bc8f86917e8942"
pass in quick on ix0 inet6 all flags S/SA keep state label "ac07e525edec46c80498203084301d05"
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 19, 2023, 09:28:30 PM #7
Someone has taken over Patrick's account :)
p.s. on a more serious note, I'd like your advice on a post I'm about to make, regarding VLAN tags.
You'll crack this one soon. Some setting you forgot somewhere.
October 19, 2023, 09:34:31 PM #8
Essentially I want to set up a small lab scenario with an OPNsense virtualised on TrueNAS CORE and TrueNAS using that OPNsense ... possibly I should just hook up my Mac to LAN and work from there ...  ;)

This little box here is doing fantastic, BTW.

4 core Atom 3558, 16 GB of ECC memory, 2 SATA DOMs for the boot pool, 2 1TB SSDs for storage. 4 Gbit interfaces, two of which are passed via PCIe into the OPNsense VM so firewall is really separated from everything else.

Yeah, I guess I'll just rewire because the use case will be TN and my laptop and possibly more systems all on LAN and WAN hooked up to some public network.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 19, 2023, 10:24:06 PM #9
Ah, it's This Firewall not WAN address.

The disabling of reply-to I prefer to do it on the exception rule and not globally.

The RFC 1918 blocking also needs to be disabled on WAN interface.
October 19, 2023, 11:28:53 PM #10 Last Edit: October 20, 2023, 12:15:28 AM by Patrick M. Hausen
Too late now but whenever I encounter that problem again I will hopefully at least remember to look for this thread.

This is what the end result looks and works like:
Code Select
                         TrueNAS CORE                 
        ┌────────────────────────────────────────────┐
        │                                            │
        │                           OPNsense VM      │
        │       ┌ ─ ─ ─ ─ ─ ┐   ┌──────────────────┐ │
        │    ┌───────────┐      │                  │ │
        │ ┌──┴────────┐  │  │   │  LAN        WAN  │ │
        │ │           │  │      │┌─────┐    ┌─────┐│ │
        │ │ VMs/jails │  │  │   ││ ix0 │    │ ix1 ││ │
        │ │           │  ├ ─    │└─────┘    └─────┘│ │
        │ │           ├──┘      │   ▲          ▲   │ │
        │ └────────┬──┘         └───┼──────────┼───┘ │
        │          │                │          │     │
        │          │                │   PCIe   │     │
        │          │                │   pass   │     │
        │ ┌────────┴─────────┐      │   thru   │     │
        │ │                  │      │          │     │
        │ │     bridge0      │      │          │     │
┌────┐  │ │┌─────┐    ┌─────┐│   ┌──┴──┐    ┌──┴──┐  │
│IPMI├──┼─┼┤ ix0 │    │ ix1 ││   │ ix2 │    │ ix3 │  │
└────┘  │ │└──┬──┘    └──┬──┘│   └──┬──┘    └──┬──┘  │
        │ └───┼──────────┼───┘      │          │     │
        └─────┼──────────┼──────────┼──────────┼─────┘
              │          │          │          │     
              ▼          └──────────┘          ▼     
                                                     
          to laptop                        to uplink 
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions