Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Allowing traffic from OpnSense to LAN despite port forwarding?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Allowing traffic from OpnSense to LAN despite port forwarding? (Read 1475 times)
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Allowing traffic from OpnSense to LAN despite port forwarding?
«
on:
November 05, 2021, 11:33:57 pm »
Maybe I am just too dumb...
After having found out that the os-git-backup plugin does not encrypt the configuration backups (which is O.K., since that way the deltas can be investigated), I tried to setup my own git server.
After a bit of trial and error, I was very surprised to find out that I could not access SSH in my own LAN from the firewall itself (nor can I access HTTP or HTTPS). Pinging the LAN IPs works, however.
My setup is a WAN via PPPoE and outbound NAT (even with NAT reflection) plus a LAN and a GUEST network. There are some port forwarding rules as well, but they should not matter.
When I disable all traffic filtering, a 'curl
https://192.168
.1.3' from the firewall works, but I cannot find for the life of me which rule blocks traffic from the firewall 192.168.1.1 to the LAN server 192.168.1.3. I think it cannot be NAT, since that only applies to the outgoing WAN traffic.
I know that ICMP is allowed in the auto-generated rules, so I looked them up, but found nothing suspicious.
There are no log entries for blocked packets, and I have already tried to switch on logging for the default drop rules (can that be done for auto-generated rules, too?).
I even tried create a rule to allow anything from LAN, move it before anything else and make it 'quick' - alas, to no avail.
What am I doing wrong?
P.S.: Now that I tried something else, I found that this is correlated to port forwarding with reflection enabled: I actually can access any server/port combination that is not already on the right hand side of a port forwarding rule. It seems like there are translation rules in place for the response packets that apply to any sender, regardless if he comes from the WAN... it does not help to limit the forwarding rule to "!this firewall".
Despite a NAT reflection, accessing the WAN side of the port forwarding rule does not work, either, from the firewall itself. I thought that the port forwarding rules apply to packets from the WAN side only. While this might be the case, the response packets are always getting diverted.
«
Last Edit: November 06, 2021, 02:01:57 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
HarlemSquirrel
Newbie
Posts: 1
Karma: 0
Re: Allowing traffic from OpnSense to LAN despite port forwarding?
«
Reply #1 on:
March 23, 2022, 01:37:13 pm »
This sounds like my issues as well. I set up port forwarding to my home assistant. It works fine from another networks but when on the same network the connection hangs and I don't see any firewall logs blocking the connection.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Allowing traffic from OpnSense to LAN despite port forwarding?