Newbie wanting some help with configuration

Link2019 · August 10, 2019, 02:12:02 PM

Hi Eveyone,

In the past I have used pre-configured software but I felt like turning my hand to something open source / hardware based but I'm having problems.

I got Opnsense 19.7 installed on a 1U rack - has two LAN cards one of which has been picked up as WAN and I can log into the GUI... all seems to be working.

I have a Netgear D7000v2 router and I would like to use Opnsense as my firewall, but I'm having issues with configuration.

Is there anyone that would help me find my way ?

I'm not overly familiar with using WAN ect so I'm just finding myself getting confused within the settings menu.

Hope to speak to someone soon... :)
Adam

firewall · August 11, 2019, 04:52:03 AM

welcome to opnsense, link2019!

please post specifics about the problems you've encountered. does your opnsense gui report whether or not the WAN interface has been issued a public IP by the D7000v2 or is it a non-routed IP (e.g. 10.x 192.168.x or 172.16.x)?

your setup is not very complex but there may be overlapping functionality you may need to account for--primarily NAT.

Link2019 · August 16, 2019, 07:17:36 AM

Quote from: firewall on August 11, 2019, 04:52:03 AM
welcome to opnsense, link2019!

please post specifics about the problems you've encountered. does your opnsense gui report whether or not the WAN interface has been issued a public IP by the D7000v2 or is it a non-routed IP (e.g. 10.x 192.168.x or 172.16.x)?

your setup is not very complex but there may be overlapping functionality you may need to account for--primarily NAT.

Hi firewall thanks for your reply!

I did actually manage to get the firewall working and we now have access.
The netgear assigned a non-routed IP to the WAN 192.168.0.2
I have my router setup to DMZ straight to the WAN address. But I'm having an issue port forwarding. I have read and copied many examples but it seems the port won't open on the outside.

When I run a port scan from the outside and look at my Logs > Live View I see the port scan run but it's denied

wan Aug 16 06:14:32 52.202.215.126:34198 192.168.0.2:21 tcp Default deny rule

I have attached two files showing my config - not sure where I'm going wrong.

banym · August 16, 2019, 05:54:34 PM

Hi Link2019,

welcome to OPNsense.
If you have a private network range on your WAN interface, you should disable this two options:

Link2019 · August 16, 2019, 06:58:27 PM

Hi Banym,

Thanks for your message, I have done what you suggested but I still not see the ports open, also still seeing the deny rule appear when scanning the port.

I'm not sure if I have found the possible cause.. When looking under Log Files > Live View in the Column Titles at the top, Interface, Time, Source, Destination ect - Under Destination its listing the IP for the WAN Interface on the Firewall 192.168.0.2, Should that not be listing the IP for the device I'm trying to forward the ports to?

banym · August 16, 2019, 07:38:31 PM

Hey,

maybe you can explain or draw your environment some more.
What IP has your WAN / LAN etc.
How it's connected etc.

Some screenshots of the rules and NAT rules would be good, too.

Regards,

Dominik

Link2019 · August 16, 2019, 08:16:49 PM

Hey Dominik,

I have quickly drawn my network setup and attached some screen grabs from NAT > Port Forward and Rules.

It's not a complex setup at all - Obviously I have got something wrong somewhere.

I'm just going to check that when using DMZ that the NAT on the router is switched off. Other than that...I'm at a complete loss.

Regards
Adam

banym · August 16, 2019, 08:46:01 PM

Hi Adam,

your NAT rules is the problem.

You have defined the IP 192.168.1.111 as destination and nat. The destination should be your WAN IP. This destination is than translated to the NAT IP of your server on LAN side.

Hope this helps.

Regards,

Dominik

Link2019 · August 16, 2019, 09:14:15 PM

Hey Dominik

That seems to have done the job for port 21 but port 22 is still closed checked the settings against the rule for port 21 and there the same, so I'm not sure whats happening there.

Regards
Adam

banym · August 16, 2019, 09:24:45 PM

You're 100% sure the host behind is listening to 22?

Do you have other rules on WAN side to ssh into your firewall on port 22? If so change the port for the firewall itself to 2222 for example. You can do that under System->Settings->Administration

Otherwise sniff on the WAN interface to see where the traffic is dropped.

Link2019 · August 17, 2019, 09:00:28 AM

Ah no my bad,

Port 22 was closed off on the NAS .

Thanks for your help!

tong2x · August 17, 2019, 10:10:53 AM

just saw your diagram and you have dmz already..

Newbie wanting some help with configuration

Link2019

August 10, 2019, 02:12:02 PM

firewall

August 11, 2019, 04:52:03 AM #1

Link2019

August 16, 2019, 07:17:36 AM #2

banym

August 16, 2019, 05:54:34 PM #3

Link2019

August 16, 2019, 06:58:27 PM #4 Last Edit: August 16, 2019, 07:02:14 PM by Link2019

banym

August 16, 2019, 07:38:31 PM #5

Link2019

August 16, 2019, 08:16:49 PM #6

banym

August 16, 2019, 08:46:01 PM #7

Link2019

August 16, 2019, 09:14:15 PM #8

banym

August 16, 2019, 09:24:45 PM #9

Link2019

August 17, 2019, 09:00:28 AM #10

tong2x

August 17, 2019, 10:10:53 AM #11 Last Edit: August 17, 2019, 10:15:07 AM by tong2x