OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • Help! Cannot get out WAN interface from DMZ for some services (and reverse)
« previous next »
  • Print
Pages: [1]

Author Topic: Help! Cannot get out WAN interface from DMZ for some services (and reverse)  (Read 1627 times)

Tugdualenligne

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
Help! Cannot get out WAN interface from DMZ for some services (and reverse)
« on: April 02, 2020, 10:14:24 pm »
Hi there, hope you're OK in this difficult Covid-19 environment.

I installed OPNsense running on Proxmox on a dedicated machine with 4 NIC.

My home network is as follow (^v are representing links) :

ISP Fiber ONT (public IP)
^v
ISP Router/Wifi 192.168.0.254 (the ISP router is also a Wifi AP)
        ^v LAN1 Wifi 192.168.0.0/24
        ^v WAN OPNsense NIC1 192.168.0.31 (access authorized from private networks)
                  ^v LAN2 OPNsense NIC2 192.168.3.0/24
                            ^v Laptops and other mobile devices
                  ^v DMZ OPNsense NIC3 192.168.2.0/24
                            ^v VM1 Plex 192.168.2.18
                            ^v VM2 Duplicati 192.168.2.16
                            ^v VM3 …

The situation:
- LAN1 and LAN2 access the Internet without any issue
- LAN2 access the DMZ without any issue
- Issue #1: DMZ can ping Google.com but:
- cannot open a web page, or cannot update my Linux VMs (apt-get does not work, on any of the 3 VM)
- Plex cannot connect to the Internet. The WAN interface denies access with a “default deny rule” that I suppose is because of a floating rule (that I can’t delete!)
- Issue #2: LAN1 and Internet cannot access the DMZ (while it should, thru for example port 32400 for Plex)

Illustration of issue #1 for Plex (firewall log; the 86.xx IP is my public address, the xx.0.50 IP is my phone from LAN1, the xx.2.18 is my VM1 from DMZ):
 cf. image #1

I have tried everything:
- many tries to NAT and FW rules
- enabling a DMZ on my ISP Router and directing flows to the OPNsense WAN address
- and many, many other things (cleared the states, tried Outbound NAT auto reflection, rebooted, etc.)

Any help very welcomed as I’m (quite) new to firewalls and getting a bit crazy with this!

Below my NAT, Floating rules, WAN, DMZ and LAN settings:
Firewall NAT settings
cf. image #2

Firewall Floating rules
 cf. images #3, 4, 5
 
Firewall WAN settings
 cf. image #6

Firewall DMZ settings
 cf. image #7

Firewall LAN settings
 cf. image #8
« Last Edit: April 02, 2020, 11:37:08 pm by Tugdualenligne »
Logged

Tugdualenligne

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Help! Cannot get out WAN interface from DMZ for some services (and reverse)
« Reply #1 on: April 02, 2020, 10:15:13 pm »
Images 4 to 6
Logged

Tugdualenligne

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Help! Cannot get out WAN interface from DMZ for some services (and reverse)
« Reply #2 on: April 02, 2020, 10:15:51 pm »
Images 7 to 8 (end)
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • Help! Cannot get out WAN interface from DMZ for some services (and reverse)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2