Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Port Forwarding issues and VPN passthrough issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: Port Forwarding issues and VPN passthrough issues (Read 2919 times)
loadnabox
Newbie
Posts: 3
Karma: 0
Port Forwarding issues and VPN passthrough issues
«
on:
January 09, 2020, 05:47:18 pm »
I'm having two issues
#1 Trying to port forward a non-reserved port to SSH (port 22) on a bare metal box inside the FW. Externally I can see "connection established" but I'm not seeing any authentication attempts in the logs on the linux box. Reviewing OPNSense logs I see that it is supposedly forwarding the packets. The same setup was previously working when the same hardware I put OPNSense on was running Sophos so I do not believe it to be an issue on the linux box end
#2 Client system inside is trying to connect externally via Cisco VPN. It establishes the connection but I cannot connect to any services on the other side of the VPN. Using my phone to tether and bypass the OPNSense everything works fine
OPNSense notes:
I have NOT enabled "Boock bogon" or "Block private" on either WAN or LAN
I have set NAT outbound to "manual" only for testing but this has not helped
This part is important... !!!I NEED TO BE ABLE TO RUN IN HYBRID NAT OUTBOUND TO ENABLE NAT-PMP!!!!! however this automatically enables ISAKMP which can interfere with VPN's as I have read it
I have three WAN rules enabled and no LAN rules (aside from allow all on LAN side)
spamhaus_drop
spamhaus_edrop
GeoIP
I have disabled the outbound rules for testing however it has not fixed the problems
I humbly beg for assistance here as my Google-fu and forums searches over the past couple of days have resulted in the same suggestions (already tried above) which haven't fixed the issues.
Logged
loadnabox
Newbie
Posts: 3
Karma: 0
Re: Port Forwarding issues and VPN passthrough issues
«
Reply #1 on:
January 10, 2020, 04:22:37 am »
So I got the NAT port forward fixed.
I just did a factory reset and rebuilt all the firewall rules. No idea what was wrong, but obviously something got badly tweaked in there.
Still trying to figure out the issue with the cisco VPN though
Logged
loadnabox
Newbie
Posts: 3
Karma: 0
Re: Port Forwarding issues and VPN passthrough issues
«
Reply #2 on:
January 19, 2020, 08:29:02 pm »
Finally got this to work. Posting it here in case this ever comes up in google searches in the future.
I had to create a new NAT rule on the LAN interface.
I created a static DHCP mapping for my work laptop then made an alias for it.
In the new NAT rule, I set source: work_laptop any/any dest: any/any *** force GW: WAN DHCP *** direction IN
I then had to select "allow options" and "sloppy state" in the new NAT rule
Lastly I had to disable Unbound DNS and remove the OPNSense server from the list of DNS resolvers as it was grabbing DNS requests and munging them
After all this the VPN works without issue now
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: Port Forwarding issues and VPN passthrough issues
«
Reply #3 on:
January 19, 2020, 08:44:41 pm »
Thank you for sharing.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
newsense
Hero Member
Posts: 1037
Karma: 77
Re: Port Forwarding issues and VPN passthrough issues
«
Reply #4 on:
January 19, 2020, 11:21:58 pm »
There seem to be a few unjustified things here, from messing with the bogon and private settings on the WAN, the apparently unjustified WAN rules for the spamhaus and GeoIP, to some weird NAT issue that shouldn't have been there in the first place and lastly to Unbound being disabled.
For Cisco VPN to work you only need to have the appropriate LAN rule, and here it's already ALLOW * * which is hardly the most secure stance.
Overall it sounds more like a poorly configured off the shelf router, rather than a fully functional firewall with some of the best underlying technologies under the hood.
Best advice would be to start over, preferably in a virtual environment, minding the defaults which are there for a reason and learning how to configure it securely in a much simpler fashion than it appears to be done right now. Afterwards you can tweak the existing setup back to more sane values while preserving the same needed functionality.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Port Forwarding issues and VPN passthrough issues