Can't reach internet from another subnet

Started by mflammia, October 29, 2020, 07:54:41 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 29, 2020, 07:54:41 PM
Hi,

The internal interface on the firewall has an IP address of 192.168.0.250. The router it connects to has an IP address of 192.168.0.254.

The default route on the router is pointing to the firewall (192.168.0.250), and the default route for the internal interface of the firewall is the router (192.168.0.254)

Anything on the 192.168.x.x/24 subnet works fine.

The router has other VLANs / Subnets configured like 192.168.200.x/24. Anything on this subnet can reach the firewall, and visa versa.

Tracert on a PC on the 192.168.200.x/24 to the internet reaches the firewall 192.168.0.250 but then stops.

There is a rule specifically allowing 192.168.200.x/24 out.

When looking at the live diagnostics you can see traffic from 192.168.200.x/24 being allowed in green.

Problem is that anything in 192.168.200.x/24 can not ping or reach the internet in anyway, and can't figure out why?

There must be some other configuration other then a rule that that subnets needs to be included, I assume?

Many thanks in advance.
October 29, 2020, 08:40:22 PM #1
I can't follow your description of your setup.

Quote from: mflammia on October 29, 2020, 07:54:41 PM
The default route on the router is pointing to the firewall (192.168.0.250), and the default route for the internal interface of the firewall is the router (192.168.0.254)

Sounds like a loop!?

Why is your OPNsense with its internal interface in the same subnet, where the router is? Is this router your WAN router?

Maybe you can create some sort of graphical network plan for us to understand what your setup looks like.

As a guess I would think that you need to create an Outbound NAT rule for that network. Usually OPNsense is taking care of this, if the networks are directly connected to the OPNsense, but in this case the OPNsense doesn't know anything about this network.
,,The S in IoT stands for Security!" :)
October 29, 2020, 09:10:20 PM #2
Thanks for getting back so quick.

Apologies, can see that why that was probably confusing.

I've added a diagram, and the route that points 192.168.200.x/24 to the internal router 192.168.0.250. I've also shown that I have also got a outbound NAT for the 192.168.200.x/24 network which I originally thought might be the issue, could be the way I've created it?

Anyway, hope that helps.

Many thanks

October 29, 2020, 09:44:48 PM #3
The only difference I see is the NAT Address. In your rule it is WAN Address and on the auto-rules it's WAN. Maybe you can experiment with that value?
,,The S in IoT stands for Security!" :)
October 29, 2020, 09:58:59 PM #4
That thought had crossed my mind, but there isn't the option for just 'WAN' like auto-rules? See image below.

Its strange. The routing is OK, the firewalls rules seem ok and being accepted, and the NAT is their but it is the firewall that is blocking it?
October 29, 2020, 10:01:34 PM #5
Try it with interface address.

Rest seems to be valid. Send a screenshot of the firewall rule allowing that traffic. Any special checkboxes activated?
,,The S in IoT stands for Security!" :)
October 29, 2020, 10:25:50 PM #6
Tried that but doesn't seem to have helped.

I've attached the screenshots so that you can see, and the one you asked for.

Not other checkboxes that I can think of, its pretty much as it was out of the box. Strange right, should be a fairly simple thing to be able to do?

Probably going to be some kind of checkbox?
October 29, 2020, 10:35:08 PM #7
Quote from: mflammia on October 29, 2020, 10:25:50 PM
Tried that but doesn't seem to have helped.

I've attached the screenshots so that you can see, and the one you asked for.

Not other checkboxes that I can think of, its pretty much as it was out of the box. Strange right, should be a fairly simple thing to be able to do?

Probably going to be some kind of checkbox?

Yes, strange. In the live view you see the packets?
,,The S in IoT stands for Security!" :)
October 29, 2020, 10:43:30 PM #8
I do, but I had to turn off the NAT for that subnet 192.168.200.x/24. If I leave it enabled nothing shows in the live view from 192.168.200.110.

Image below with the NAT turned off:
October 29, 2020, 10:52:42 PM #9
Even with nat address returned to the value you had before?
,,The S in IoT stands for Security!" :)
October 29, 2020, 10:57:22 PM #10
Just playing with that, but yep! Set it back to 'WAN Address' all entries stop showing up from that subnet in the live view?
October 29, 2020, 11:04:32 PM #11
But do you see traffic leaving the firewall in the live view while pinging a host in the Internet from the 200 subnet?

Without filter.
,,The S in IoT stands for Security!" :)
October 29, 2020, 11:12:19 PM #12
That's the thing, only when I disable that NAT rule. Otherwise no, I see nothing.

Those entries in the screenshot from 192.168.200.110 in the live view show regularly until you enable the NAT?
October 29, 2020, 11:17:46 PM #13
Think I just got it working, I ticket the box in the NAT rule:

No XMLRPC Sync

It still doesn't seem to be pinging or doing a tracert but nslookup worked and can seem to browse webpages.

Let me do a little more testing
October 29, 2020, 11:31:57 PM #14
Ok, so this is me leading us down a slight garden path.

I've been running a constant ping to some Google addresses and equally doing some traceroutes to validate if the internet connectivity is working from 192.168.200.110. I've been doing the same on the other subnet and that works fine.

What actually seems the case is that browsing is working after playing with the NAT rule.

I've made sure the firewall is disabled on 192.168.200.110, but still the same.

Would still like to know why ping and tracert is not working on an any rule, but you have been very generous with your time and I've had us go around circles for a while.

The good news is the process and advise you have offered probably did the trick, so very much appreciated.
Print
Go Up Pages1 2
User actions