Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Trouble allowing traffic from WAN to internal network
« previous
next »
Print
Pages: [
1
]
Author
Topic: Trouble allowing traffic from WAN to internal network (Read 3847 times)
andrew11
Newbie
Posts: 3
Karma: 0
Trouble allowing traffic from WAN to internal network
«
on:
November 29, 2019, 07:48:29 am »
Hello,
I am currently working on a project for school, I am having some trouble getting traffic to travel from the wan network to the internal network. My deadline is coming up soon, so any help would be greatly appreciated.
So my network is as follows:
(FYI This is all done in virtualbox)
I have an OPNSense firewall with 3 NICS
DMZ (em2) - 192.168.2.1/24
LAN (em1) - 192.168.1.1/24
WAN (em0) - DHCP4: 192.168.50.244/24
Directly connected to the OPNSense DMZ interface is a Windows honeypot(DHCP) and a Windows Webserver (192.168.2.2), this Webserver hosts a simple website using http.
Directly connected to the LAN interface of the firewall is a router with 3 nics
External: 192.168.1.1 - connected to the firewall
LAN: 192.168.4.1 - domain controller and servers are on this network
LAN: 192.168.3.1 - Windows workstation is connected to this network
So I am currently experiencing two issues which I think may be related.
1)
I installed OpenVPN using the OpenVPN wizard in the web GUI for OPNSense. After installing I am able to successfully connect from my host machine. However after I connect I am unable to ping the local networks I specified in the VPN server which would be 192.168.4.0/24 and 192.168.3.0/24. I'm not sure if it is an issue with the firewall rules, they were created automatically when using the wizard to set up the server.
2)
I am unable to access the website hosted on the webserver in the DMZ even though I have specified rules in the firewall to allow http traffic from the wan to the DMZ. The website on the web server is a simple ip base website using the address 192.168.2.3.
My firewall rules are as follows:
WAN)
IPv4 TCP Source:* Port:* Destination:DMZ Net port:80(HTTP) Gateway:* Schedule:*
IPv4+6 UDP Source:* Port:* Destination:WAN address port:1194(OpenVPN) Gateway:* Schedule:*
OpenVPN)
IPv4+6* Source:* Port:* Destination:* port:* Gateway:* Schedule:*
I think I need to add some port forwarding rules in the firewall. I tried to add some port forwarding rules through NAT. I also attempted to set up a 1:1 NAT using a virtual IP that I set up in the Virtual IP section. Neither of these options seemed to work. Any suggestions would be greatly appreciated.
-Thanks
Logged
andrew11
Newbie
Posts: 3
Karma: 0
Re: Trouble allowing traffic from WAN to internal network
«
Reply #1 on:
November 29, 2019, 07:50:19 am »
Update: I am not sure I set up the port forwarding rules correctly as I have never done it before, so any advice on that would be great too.
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: Trouble allowing traffic from WAN to internal network
«
Reply #2 on:
November 29, 2019, 11:45:34 am »
Hi Andrew,
since you have a private network range on WAN you need to uncheck the block private networks option on the WAN interface.
Maybe allow ICMP echo request on the WAN interface to make it possible to ping the WAN interface to see if that works.
Please make some Screenshots from the NAT rules and post them here.
Make some Screenshots from the LAN and DMZ rules, too.
If you need to access the Webserver from your LAN you need to add the rules in the LAN section.
If you need to access the Webserver from WAN, you need to add the rules in the WAN section.
If want to access the Webserver from your WAN but you want to use the Firewall IP and make Portforwarding, you need to add the rules in NAT Section and the rule on WAN will be automatically generated by default.
Review all machines to have the correct default GW to be sure routing is not the problem.
Regards,
Dominik
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
andrew11
Newbie
Posts: 3
Karma: 0
Re: Trouble allowing traffic from WAN to internal network
«
Reply #3 on:
November 29, 2019, 08:59:21 pm »
Hello again,
I originally did disable the block private networks option on the WAN interface, sorry I forgot to mention that. The issue still seems to occur.
I'm not sure how I can attach a screenshot to my post in this forum, I don't see an option for it.
I did add the following rule to my WAN to do some testing.
IPv4 ICMP Source:* Port:* Destination:* Gateway:* Schedule:*
After adding this rule, I am still unable to ping the firewall or anything on the network from my host machine. I am also still unable to access the local networks specified in the server when connecting to OpenVPN.
This is the NAT port forwarding setting I added:
WAN Proto:TCP Source:* Ports:* Destination:192.168.50.244 Ports:80(HTTP) NAT:192.168.2.3/24 Ports:80(HTTP)
I am still unable to access the website on the webserver hosted in the DMZ.
My other firewall rules are below
LAN)
IPv4 Source:192.168.3.0/24 Port:* Destination:* Port:* Gateway:* Schedule:*
IPv4TCP Source:LAN net Port:* Destination:DMZ net Port:* Gateway:* Schedule:*
DMZ)
BlockIPv4* Source:DMZ net Port:* Destination:LAN net Port:* Gateway:* Schedule:*
PassIPv4* Source:DMZ net Port:* Destination:* Port:* Gateway:* Schedule:*
I have confirmed all machines do have the correct default GW.
-Thanks Again
Andrew
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Trouble allowing traffic from WAN to internal network