help preserving source ip of my subnets to front firewall

Started by guest40533, October 12, 2023, 04:21:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2023, 04:21:16 PM
ok
October 12, 2023, 04:56:20 PM #1 Last Edit: October 12, 2023, 05:03:28 PM by Monviech
You have to disable outbound nat on the opnsense (set it on manual)

Then you have to create static routes on the watchguard for each of your internal nets, with the next hop being the CARP VIP of the OPNsense in your interconnect net.

And of course you have to make sure the firewalling allows these nets on the Opnsense and the Watchguard. The firewalling has to be really tight so the individual nets won't be routed to the watchguard and back to the opnsense (interconnected vlan traffic) Only traffic with destination WAN should be allowed to route to the Watchguard.

And the Watchguard has to Outbound NAT all those internal Nets now (SNAT - IP Masquerading)
Hardware:
DEC740
November 03, 2023, 01:34:00 PM #2
It's been a while, but thank you for your response. I was able to make significant progress.

However, now I have a problem: my packets are sent out fine, but they never receive any responses, even though the return traffic is not blocked... so I don't think it's a problem with the rules.

It works if I ping from the WatchGuard to one of my subnets, but not the other way around.


Thx
November 03, 2023, 02:42:23 PM #3
No problem.

That's not really a lot of information to go on with though.

Please provide a proper trace of an ICMP echo request and ICMP echo reply, captured with tools like tcpdump.
Describe your test scenario a little more detailed, maybe in a small ASCII diagram.
Hardware:
DEC740
November 03, 2023, 05:33:07 PM #4
Yes, here are my tests and the associated pings. I can see the packets leaving the request on all the routers (opnsense + watchguard) but I never see the reply packets coming back, they are not even refused. Doesn't Opnsense log non-legitimate packets entering the wan by default? I've also created temporary "pass all" rules everywhere for debugging.

Test A: PC to Watchguard vlan 1
                                         
A1: PC to R1 LAN VIP = OK
                                         
  192.168.20.22        vip 192.168.0.254
      +------+          +------+       
      |  PC  |----------|  R1  |       
      +------+          +------+       

Code Select
155 18.974908 192.168.20.22 192.168.20.254 ICMP 74 Echo (ping) request  id=0x0001, seq=11066/14891, ttl=128 (reply in 156)
156 18.976640 192.168.20.254 192.168.20.22 ICMP 74 Echo (ping) reply    id=0x0001, seq=11066/14891, ttl=64 (request in 155)

A2:   PC to R1 WAN VIP = OK                                                 
                                                         
  192.168.20.22  192.168.0.254  10.46.0.3                   
      +------+      vip +----+  vip                           
      |  PC  |----------| R1 |                               
      +------+          +----+     
                                                           
Code Select
236 31.456656 192.168.20.22 10.46.0.3 ICMP 74 Echo (ping) request  id=0x0001, seq=11067/15147, ttl=128 (reply in 237)
237 31.457524 10.46.0.3 192.168.20.22 ICMP 74 Echo (ping) reply    id=0x0001, seq=11067/15147, ttl=64 (request in 236)

A3: PC to WATCHGUARD INTERCO = NOTOK                                         
                                                             
  192.168.20.22  192.168.0.254  10.46.0.3                     
      +------+      vip +----+ vip            +----------+   
      |  PC  |----------| R1 |--------------- |WatchGuard|   
      +------+          +----+      10.46.0.4 +----------+   
                                                             
Code Select
282 37.579659 192.168.20.22 10.46.0.4 ICMP 74 Echo (ping) request  id=0x0001, seq=11068/15403, ttl=128 (no response found!)

A4: PC to WATCHGUARD LAN = NOTOK                                                   
                                                                       
  192.168.20.22  192.168.0.254  10.46.0.3                   192.168.0.200  LAN  192.168.0.0/22
      +------+      vip +----+ vip            +----------+             
      |  PC  |----------| R1 |--------------- |WatchGuard|--------     
      +------+          +----+       10.46.0.4+----------+             
                                                                                                                                           
Code Select
391 49.838626 192.168.20.22 192.168.0.200 ICMP 74 Echo (ping) request  id=0x0001, seq=11069/15659, ttl=128 (no response found!)



Test B PC LAN to PC VLAN 20 :

working

Code Select
1296 3.693011 192.168.0.102 192.168.0.200 ICMP 74 Echo (ping) request  id=0x0001, seq=154/39424, ttl=128 (reply in 1297)
1297 3.693324 192.168.0.200 192.168.0.102 ICMP 74 Echo (ping) reply    id=0x0001, seq=154/39424, ttl=64 (request in 1296)

Code Select
164522 425.912504 192.168.0.102 192.168.20.22 ICMP 74 Echo (ping) request  id=0x0001, seq=168/43008, ttl=128 (reply in 164525)
164525 425.915145 192.168.20.22 192.168.0.102 ICMP 74 Echo (ping) reply    id=0x0001, seq=168/43008, ttl=126 (request in 164522)


I'm sorry if this isn't very clear but it's quite hard for me to illustrate and describe in writing, but thanks for your help.  :)

November 03, 2023, 05:43:53 PM #5
Just to make sure, did you set up static routes on the Watchguard back to the OPNsense?
Hardware:
DEC740
November 04, 2023, 06:46:50 PM #6
Yes i put this on watchguard:

route                         gtw
192.168.20.0/24   10.46.0.3 (vip cluster)


But it's working well when watchguard ping my pc 20 (see test B)
Print
Go Up Pages1
User actions