"default deny rule", the nightmare.

Started by Anyel, February 17, 2022, 05:09:25 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
February 20, 2022, 05:31:29 PM #15
That change should make no difference here. It relates to traffic inbound to loopback address.


Cheers,
Franco
March 04, 2022, 11:08:43 PM #16
After upgrading to 22.1.2_1. same problem.
March 05, 2022, 08:46:59 AM #17 Last Edit: March 05, 2022, 08:51:17 AM by Vilhonator
Check the order of your firewall rules on each network. By default, rules are followed from top to bottom, so if you have blocked some network gaining access to any hosts on network where your alias hosts lie, you have to move rule allowing the access above the block rule.

If you are trying to get HTTPS work, then go to Firewall ---> NAT, create new rule, interface is the interface of a network to which alias host belongs to, direction is out, source is "XXX net" destination is alias destination port is http, redirect to is your alias and redirect port is https, also set "NAT reflection" to enable, then apply and save changes.

After that you go to Rules ---> select your network where your alias is and make sure the port forwarding rule is there and move it above to any rules that might block the connection

Only point where you need to use firewall rules to allow connections between internal networks, is when network in question don't have "allow all" default rules and / or block rules between eachother.

Oh, and obviously make sure server you are trying to connect to is listening HTTPS port and also it's firewall isn't blocking https <---- has been reason why my servers haven't worked as they should quite a few times ^^
March 05, 2022, 09:25:33 PM #18
@Fright - Network is very simple.

It is a cloud/kvm environment. There is a mandatory gateway (layer 3), 10.0.0.1, with a NAT for 10.0.0.2 (OPNSENSE). In the environment, there is a route for all destinations to go through 10.0.0.2 (0.0.0.0/0 via 10.0.0.2). DHCP is done by 10.0.0.1 and it is not possible to change that, to get to 10.0.0.2 it is necessary to go through 10.0.0.1, also not possible to change. Everything worked fine for a long time.


Got it, @Vilhonator, and there's already been tested evertything in NAT. It doesn't change anything at all, I spent a couple of hours testing again it now, nothing. What really makes it work is change state tracking to none. Nothing else worked.
Print
Go Up Pages 1 2
User actions