Accessing OPNsense from an upstream LAN

Started by TartnessZeroDuplicate, August 02, 2020, 07:02:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2020, 07:02:48 AM
Hey, I've just installed OPNsense and I'm amazed at what it can do, super excited to dig in! But I've hit my first roadblock, which I think is due to my network configuration. I'm hosting OPNsense as a VM in Proxmox, and want it to act as the firewall to another VM on Proxmox. The below is a working configuration:

Internet - Router - OPNsense - host 1

If I host a webserver on host 1 at port 8001, and do the applicable port forwarding on my router and on OPNsense, that webserver is accessible via the internet, all good.

BUT! If I try to access it from another PC on my LAN:

Internet - Router - host 2
No bingo.

The complete network looks like:
Internet (public ip) - Router (192.168.0.1) - (192.168.0.144) OPNsense (192.168.1.1) - host 1 (192.168.1.101)
                                                                   - host 2 (192.168.0.102)

Since host 2 is on the WAN side of OPNsense, but has a LAN style IP address, I have disabled the setting "Block private networks" in:
Interfaces - WAN - Block private networks (disabled)
This has not solved the problem.

Fault finding so far:
From host 2 I can access the web server from publicIP:8001
From host 2 I cannot access the web server on host 1 from 192.168.0.144:8001 (the part I'm trying to fix)
From host 2 I cannot ping OPNsense on 192.168.0.144 (presumably a feature?)
From OPNsense I can ping host 2 on 192.168.0.102

I thought "disable blocking private networks" would be the magic bullet here, but it seems not. Any ideas?
August 12, 2020, 09:52:03 AM #1
I've found another post here marked solved which was pretty much the same problem. Having 2 LANs connected to the firewall. I followed the steps to setup outbound NAT in hybrid mode and added the rule, but it doesn't seem to have changed anything for me. It was a 2016 post, has the system changed since then or should I be doing something else?

https://forum.opnsense.org/index.php?topic=3050.msg9401#msg9401
August 12, 2020, 12:05:53 PM #2
FW rules on WAN, and NAT rules, maybe? ;-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 14, 2020, 07:56:55 AM #3
Hey chemlud, I've tried both those, to no avail. I've tried both generic rules of *'s, and specific rules, nothing seems to work. As far as I can tell, disabling "block private networks" doesn't seem to work?
August 14, 2020, 08:15:56 AM #4
Maybe you should post the requested info here for further help?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 14, 2020, 08:34:54 AM #5
When you set upstream gateway in Interfaces ALL replies are sent to it, no matter if it is on the same network.

So you can set to auto-detect and just create a default gateway, or disable auto reply-to in Firewall : Settings : Advanced (might be problematic on Multi wan) or allow the async stream on your edge router which seems to block it
August 15, 2020, 12:46:11 AM #6
Quote from: chemlud on August 14, 2020, 08:15:56 AM
Maybe you should post the requested info here for further help?

Ahh, I thought you were telling me to look into configuring those, not to post them, I miss-understood.

Screenshots of rules here: https://imgur.com/a/ObfFMzm

I rebuilt everything in an attempt to fix, new IP addresses used in the screenshots are:

Internet (public ip) - Router (192.168.0.1) - (192.168.0.190) OPNsense (192.168.1.1) - host 1 (192.168.1.101)
                                                                   - host 2 (192.168.0.95)
                                                                   - host 3 (192.168.0.149)

I have since disabled the "NAT: One-to-One" rule shown in the screenshots, as it made host 1 unable to connect to the internet.

Further connection attempts:
From host 2 I can access the web server from publicIP:8001
From host 2 I cannot access the web server on host 1 from 192.168.0.190:8001 (the part I'm trying to fix)

From OPNsense I can ping host 2 on 192.168.0.95
From host 1 I can ping host 2 on 192.168.0.95
From host 2 I cannot ping OPNsense on 192.168.0.190 (presumably a feature?)
From host 2 I can ping host 3
August 19, 2020, 09:43:49 AM #7
This configuration also looks like what a potential DMZ would look like. Is there any way to allow incoming connections from certain IPs in a DMZ?
September 17, 2020, 12:54:50 PM #8
Found the solution from this post:
https://forum.opnsense.org/index.php?topic=8833.0

If the WAN port of the firewall has an RFC1918 local IP, and you want to access it from another terminal on the same network as the WAN port, you need to disable reply-to globally (Firewall: Settings: Advanced)
September 17, 2020, 01:45:34 PM #9
Or remove upstream in Interface section like I said before :)
Print
Go Up Pages1
User actions