Help understanding source address on NAT/Firewall

Started by allebone, January 31, 2020, 04:06:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 31, 2020, 04:06:04 PM
Hi there,

I have downloaded a fresh install of OPNSense on a VM with virtual adapters, and only setup pppoe on the WAN interface and configured the LAN interface IP. No other changes have been made so it is very default (besides setting a password etc for login).

I would like to be able to block certain ports for certain LAN clients. EG: Block port 443 for all LAN clients except a few to a certain IP.

Before doing this I check live logging to see if I can find the internal IP's of clients I am testing with in the logs accessing 443. However all clients in the firewall log show as the WAN address when captured. EG:


Interface       Time    Source    Destination    Proto    Label    
   wan      Jan 31 14:59:36   142.113.216.163:58231   67.212.168.66:443   tcp   let out anything from firewall host itself (force gw)   

So source address is always 142.113.216.163 (my WAN IP) and destination and port is listed as correct (67.212.168.66:443).

This is unexpected. My expectation was something like source = 192.168.2.113:58231 (an internal IP). This would allow me to create a rule in the LAN side of the firewall restricting port 443 from a range of internal IP's to this destination. In this setup however, I can only blanket ban everything to that destination.

I have tested this with a LAN rule (does nothing) and then a WAN block rule that blocks successfully everything to a destination, or everything on a certain port I specify, but this limits me opening it up to certain internal LAN clients.

Is this behaviour expected, and if so what can I do to work around this behaviour?

P
January 31, 2020, 05:08:50 PM #1
This works as designed. You are doing your caputre on the WAN interface. This means the packages are already processed by the LAN RULE and afterwards by the Outgoing-NAT.

And because the NAT was already done, you can't see local LAN ips on WAN.

If you want see the traffic from the local IP you need to capture on LAN interface.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
January 31, 2020, 05:25:05 PM #2
Quote from: banym on January 31, 2020, 05:08:50 PM
If you want see the traffic from the local IP you need to capture on LAN interface.

Thank you, how can I do this and add relevant rules?
January 31, 2020, 05:41:05 PM #3
Thank you, by testing further and with your advice I have understood what to do and the situation is now resolved :)
Print
Go Up Pages1
User actions