FW between 2 private subnets

[swILeZBa]

Hello, I am experimenting with OPNsense and I want to route between 2 private subnets
192.168.50.x/24 192.168.60.x/24.
there is a web server in the second subnet for testing purposes.
I have port forwarded ports 80 and 443 from first subnet to the second one and made no other rule changes but I can't access it I get a default deny rule from the web server to the FW IIRC.
What kind of options should I make sure that I check for this scenario?
What do I do with double NAT? What options do I have?

Cheers,

[cs@ithandsfree.com]

Okay routing between networks is really easy.. I just resolved this for a client.

client setup:  192.168.0.x(Corp net) -----  10.10.10.x (DMZ network)
*edit*The default rules allow all networks to access each other until you enter some block rules.  However the client needed certain ports and servers on the Corp side accessible, here is what we did.
*correction* No rule is created by default.  We created an Allow All rule for each network to enable internet access simply however had to add a Block Rule for each network to prevent inter-network routing that was not desired

I went to the DMZ Rules and I created the Allow rules for the ports and destination(corp) we wanted to allow and moved them to the top of the list.  Then I created an all Block rule for the DMZ==}Corp network so has to secure the Corp network from the DMZ.

Next the CORP Rules: in this case we left the all network access rule that is created by default as the client did not care about whether any system could access the DMZ network/server from the Corp network.

I have provided pictures of the rule sets that allowed specific access from the DMZ to the Corp network/servers and blocking the rest while allowing the Corp Network to have unrestricted access to DMZ.

If we wanted to lock down Corp==}DMZ we could make rules in the Corp Network Rules section like we did in the DMZ so that only some ports and systems could access the DMZ from the Corp Network.

Hope this helps.

[Greelan]

client setup:  192.168.0.x(Corp net) -----  10.10.10.x (DMZ network)
The default rules allow all networks to access each other until you enter some block rules.

In fact not true. The basic philosophy of OPNsense is that, with limited exceptions like for DHCP and ICMP, traffic between subnets/VLANs is blocked by default.

It is true that the LAN interface is created with two allow any rules for IPv4 and IPv6 - basically to ensure that OPNsense works out of the box. But any other interface/VLAN created does not have any allow any rules, and so virtually all traffic from those subnets is blocked by default.

I’m not sure how helpful it is to be repeating the same info in different threads when the focus of the OP question is on other issues, eg double NAT in this thread or SNAT in another thread? No doubt you are keen to promote your business but I don’t think this is the place for that. Just sayin’…

[cs@ithandsfree.com]

client setup:  192.168.0.x(Corp net) -----  10.10.10.x (DMZ network)
The default rules allow all networks to access each other until you enter some block rules.

In fact not true. The basic philosophy of OPNsense is that, with limited exceptions like for DHCP and ICMP, traffic between subnets/VLANs is blocked by default.

It is true that the LAN interface is created with two allow any rules for IPv4 and IPv6 - basically to ensure that OPNsense works out of the box. But any other interface/VLAN created does not have any allow any rules, and so virtually all traffic from those subnets is blocked by default.

I’m not sure how helpful it is to be repeating the same info in different threads when the focus of the OP question is on other issues, eg double NAT in this thread or SNAT in another thread? No doubt you are keen to promote your business but I don’t think this is the place for that. Just sayin’…

First - I am here to share my experience and help others, not make money.  In fact responding to posts costs me time and money.

2nd:  In each of our clients opnsense deployment out of the box - default configuration all networks were able to communicate with each other.  Even when VLAN's were created, those networks were all able to communicate with each other.  This in fact was a real issue, especially in a designated DMZ network.  The only way I was able to stop inter network communications was by adding a block rule in each network for which network was to be blocked.
Correction: Yes it seems we created an LAN(1)(2)etc ==} Any rule for each network so it could get out to the internet but this rule also allowed each network to communicate with each other... which was resolved by adding Block rules

3rd: As for posting near similar information in another post as a reply, well the content and answer worked for both inquiries.  With that said, in the other post, I missed the first time the user was trying to mask their source IP, so I created an edit to suggest a possible solution path to explore.

Instead of critiquing my response.. why not provide a useful response to the person who created the post.

Further, I have provided screen shots so the User who posted can see which rules produced which result which I believe answers their question as well as provide guidance on how to create the rules.

Cheers

[Greelan]

You can keep repeating the same thing, but it is still not true.

Even the GUI tells you are wrong - have a look at the bottom of the Rules page for each interface: “Everything that is not explicitly passed is blocked by default.”

Yes, with the default LAN “allow to any” rules, anything coming into the LAN interface will be allowed anywhere, including to the DMZ subnet. But the reverse does not apply (other than of course stateful replies to incoming LAN traffic).

Outbound NAT has nothing to do with it. The automatic Floating rules block everything into an interface by default (with limited exceptions), and allow everything out of an interface by default (coz OPNsense’s default policy is to filter inbound).

[cs@ithandsfree.com]

You can keep repeating the same thing, but it is still not true.

Even the GUI tells you are wrong - have a look at the bottom of the Rules page for each interface: “Everything that is not explicitly passed is blocked by default.”

Yes, with the default LAN “allow to any” rules, anything coming into the LAN interface will be allowed anywhere, including to the DMZ subnet. But the reverse does not apply (other than of course stateful replies to incoming LAN traffic).

Outbound NAT has nothing to do with it. The automatic Floating rules block everything into an interface by default (with limited exceptions), and allow everything out of an interface by default (coz OPNsense’s default policy is to filter inbound).

So do you have suggestions for the User who posted why not help them?

[Greelan]

In fact I have in the past when they had issues with accessing their webserver. They have some funky virtualised setup that seems to cause odd behaviour (the reference to double NAT is a clue). It’s probable their issues are not related to OPNsense, either in part or at all. Too difficult to troubleshoot all the variables with limited info

[bimbar]

Hello, I am experimenting with OPNsense and I want to route between 2 private subnets
192.168.50.x/24 192.168.60.x/24.
there is a web server in the second subnet for testing purposes.
I have port forwarded ports 80 and 443 from first subnet to the second one and made no other rule changes but I can't access it I get a default deny rule from the web server to the FW IIRC.
What kind of options should I make sure that I check for this scenario?
What do I do with double NAT? What options do I have?

Cheers,

For allowing traffic between two private subnets, you should not have to NAT anything. In fact, I'd strongly discourage it.

[swILeZBa]

In fact I have in the past when they had issues with accessing their webserver. They have some funky virtualised setup that seems to cause odd behaviour (the reference to double NAT is a clue). It’s probable their issues are not related to OPNsense, either in part or at all. Too difficult to troubleshoot all the variables with limited info

Hi Greelan,

I do have a virtualised setup.
What kind of information I could add that would help troubleshoot this issue? If you could point me to any posts where you have advised for a similar situation that would be great :p.

Thanks for your help.

[bongo]

i had similar issues quite some time ago.
as far as i remember, in the end i just had to define a rule on the interface where the host, launching the connection was attached, to allow traffic from the source host to the destination host.
there was no nat/pat or things like that involved. so the destination host sees the source host (with it's ip address) as a sender. i.e. it needs to accept a request from an ip in a "foureign subnet".
but i don't remember all the details as it's too long ago. i just remember that the way it is done is completely different from the FW i had before, and therefore it took me quite long to find the right way to go.

[swILeZBa]

i had similar issues quite some time ago.
as far as i remember, in the end i just had to define a rule on the interface where the host, launching the connection was attached, to allow traffic from the source host to the destination host.
there was no nat/pat or things like that involved. so the destination host sees the source host (with it's ip address) as a sender. i.e. it needs to accept a request from an ip in a "foureign subnet".
but i don't remember all the details as it's too long ago. i just remember that the way it is done is completely different from the FW i had before, and therefore it took me quite long to find the right way to go.

Thank you, this sounds like a promising route to take. I will try to figure it out.

[swILeZBa]

I don't know if this helps but I checked the Logs -> Live View and the rules seemed to be correct and I also checked the Diagnostics -> States and I got this:

How can the SRC be SYN_SENT and the DST be ESTABLISHED. Does this mean anything important?