Accessing OPNsense from an upstream LAN

[TartnessZeroDuplicate]

Hey, I've just installed OPNsense and I'm amazed at what it can do, super excited to dig in! But I've hit my first roadblock, which I think is due to my network configuration. I'm hosting OPNsense as a VM in Proxmox, and want it to act as the firewall to another VM on Proxmox. The below is a working configuration:

Internet - Router - OPNsense - host 1

If I host a webserver on host 1 at port 8001, and do the applicable port forwarding on my router and on OPNsense, that webserver is accessible via the internet, all good.

BUT! If I try to access it from another PC on my LAN:

Internet - Router - host 2
No bingo.

The complete network looks like:
Internet (public ip) - Router (192.168.0.1) - (192.168.0.144) OPNsense (192.168.1.1) - host 1 (192.168.1.101)
                                                                   - host 2 (192.168.0.102)

Since host 2 is on the WAN side of OPNsense, but has a LAN style IP address, I have disabled the setting "Block private networks" in:
Interfaces - WAN - Block private networks (disabled)
This has not solved the problem.

Fault finding so far:
From host 2 I can access the web server from publicIP:8001
From host 2 I cannot access the web server on host 1 from 192.168.0.144:8001 (the part I'm trying to fix)
From host 2 I cannot ping OPNsense on 192.168.0.144 (presumably a feature?)
From OPNsense I can ping host 2 on 192.168.0.102

I thought "disable blocking private networks" would be the magic bullet here, but it seems not. Any ideas?

[TartnessZeroDuplicate]

I've found another post here marked solved which was pretty much the same problem. Having 2 LANs connected to the firewall. I followed the steps to setup outbound NAT in hybrid mode and added the rule, but it doesn't seem to have changed anything for me. It was a 2016 post, has the system changed since then or should I be doing something else?

https://forum.opnsense.org/index.php?topic=3050.msg9401#msg9401

[chemlud]

FW rules on WAN, and NAT rules, maybe? ;-)

[TartnessZeroDuplicate]

Hey chemlud, I've tried both those, to no avail. I've tried both generic rules of *'s, and specific rules, nothing seems to work. As far as I can tell, disabling "block private networks" doesn't seem to work?

[chemlud]

Maybe you should post the requested info here for further help?

[mimugmail]

When you set upstream gateway in Interfaces ALL replies are sent to it, no matter if it is on the same network.

So you can set to auto-detect and just create a default gateway, or disable auto reply-to in Firewall : Settings : Advanced (might be problematic on Multi wan) or allow the async stream on your edge router which seems to block it

[TartnessZeroDuplicate]

Maybe you should post the requested info here for further help?

Ahh, I thought you were telling me to look into configuring those, not to post them, I miss-understood.

Screenshots of rules here: https://imgur.com/a/ObfFMzm

I rebuilt everything in an attempt to fix, new IP addresses used in the screenshots are:

Internet (public ip) - Router (192.168.0.1) - (192.168.0.190) OPNsense (192.168.1.1) - host 1 (192.168.1.101)
                                                                   - host 2 (192.168.0.95)
                                                                   - host 3 (192.168.0.149)

I have since disabled the "NAT: One-to-One" rule shown in the screenshots, as it made host 1 unable to connect to the internet.

Further connection attempts:
From host 2 I can access the web server from publicIP:8001
From host 2 I cannot access the web server on host 1 from 192.168.0.190:8001 (the part I'm trying to fix)

From OPNsense I can ping host 2 on 192.168.0.95
From host 1 I can ping host 2 on 192.168.0.95
From host 2 I cannot ping OPNsense on 192.168.0.190 (presumably a feature?)
From host 2 I can ping host 3

[TartnessZeroDuplicate]

This configuration also looks like what a potential DMZ would look like. Is there any way to allow incoming connections from certain IPs in a DMZ?

[TartnessZeroDuplicate]

Found the solution from this post:
https://forum.opnsense.org/index.php?topic=8833.0

If the WAN port of the firewall has an RFC1918 local IP, and you want to access it from another terminal on the same network as the WAN port, you need to disable reply-to globally (Firewall: Settings: Advanced)

[mimugmail]

Or remove upstream in Interface section like I said before