Intra LAN communication doesn't work

Started by Wuschy, November 25, 2020, 02:56:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 25, 2020, 02:56:28 PM
Dear all,

I face the following issue:
I've a Microserver on which I want to have a "locked down" Virtualization environment / Appliance (ESXi, OPNsense & three Windows VMs). On our LAN, we have IPs 172.22.104.xxx with VLAN tags.
So the OPNsense's WAN interface is within our LAN (currently gets a DHCP IP) and the OPNsense's LAN interface is in 192.168.1.xxx range.

I have no problem to ping from within the Appliance to our company's LAN (172.22.104.xxx). But I totaly stuck on connecting or even pinging from the company's LAN to the Appliance.
I've created a pass rule for ICMP on the WAN interface, disabled the blockings for private and bogon networks: no ping response.
When I disable the firewall / paket filtering, I get the responses...

I've also created a port forward for RDP on to a VM without any success (which makes sense when I'm even unable to ping that thing).

Under Diagnostics - pfTop, I can see the incoming connection:
pfTop: Up State 1-31/31, View: default, Order: age
PR        DIR SRC                                           DEST                                                   STATE                AGE       EXP     PKTS    BYTES     
tcp       In  172.22.104.xxx:55675                          192.168.1.103:3389                                 CLOSED:SYN_SENT     00:00:08  00:00:29        4      192   
tcp       Out 172.22.104.xxx:55675                          192.168.1.103:3389                               SYN_SENT:CLOSED       00:00:08  00:00:29        4      192

Under Log Files - Live View I can't find anything at all...

Any ideas?

Thanks for any help!!
November 27, 2020, 01:17:58 PM #1
Noone? No Idea? ... btw. it works with pfsense (interestingly not the ping so far, but I got an RDP connection working...)
November 28, 2020, 09:52:34 AM #2
Finally found the solution, but don't know exactly why:
Filter rule association has to be set to "pass" instead of "Rule NAT" ... anyone knows why, or whats the difference?
November 28, 2020, 10:25:23 PM #3
Quote from: Wuschy on November 28, 2020, 09:52:34 AM
Finally found the solution, but don't know exactly why:
Filter rule association has to be set to "pass" instead of "Rule NAT" ... anyone knows why, or whats the difference?

Maybe a screenshot helps to understand what you mean. Thank you.
,,The S in IoT stands for Security!" :)
December 02, 2020, 01:20:13 PM #4
Hi Gauss23

Thanks for your reply! Attached you can find the screenshot.
waiting for your feedback :)

Thanks and best regards

Wuschy
December 02, 2020, 02:19:25 PM #5
btw. I found this Bug Report:
https://forum.opnsense.org/index.php?topic=6192.0

Most confusing, at my home (with an Internet-IP address), the port-forward using "Rule NAT" works like a charm?!
Print
Go Up Pages1
User actions