What firewall rule blocks my traffic

Started by zyx360, June 08, 2022, 02:32:36 PM

Previous topic - Next topic
Hi there,

I have a strange issue to troubleshoot.
I have setup that looks like this:

Provider-Router (wan: x.x.x.x, lan: 192.168.111.1/24) -> Opnsense (wan: 192.168.111.2/24, lan: 192.168.112.0/24)

I know this setup is not ideal but it is something i have to deal with for now.
Some of my clients are connected on the provider-router's wifi and receive a dhcp ip from the 111.0/24 subnet.
I want these clients to be able to connect to the opnsense management interface on the WAN address.

To make this possible i;
- Disabled the block bogon networks setting
- Disabled the block private networks setting
- Created an allow rule on the WAN interface that allows 80/443

I am however still unable to access the management interface.

I was hoping that i was able to monitor whats beeing blocked by navigating to:
Firewall > Log files > Live view

But for whatever reason i dont see the traffic beeing blocked there.

I know for a fact that something on opnsense is blocking my traffic since a "pfctl -d" through the command line magically makes things work as expected.

Can anyone point me in the right direction how i can monitor what's actually dropping my request?

Thanks!
Z

After some more investigation i found the firewall logs did not show entries because the traffic was actually allowed.

I've tried connecting with curl from a machine in the 111.0/24 network, this throws a cryptic error.

[root@controller ~]# curl -vvvv  https://192.168.111.2
* Rebuilt URL to: https://192.168.111.2/
*   Trying 192.168.111.2...
* TCP_NODELAY set
* Connected to 192.168.111.2 (192.168.111.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.111.2:443



You mind sharing a screenshot of your WAN rule set, including the section with the description "Automatically generated rules" where you have to select to drop down the full list of rules?
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD

Doesn't seem to be a firewall rule as you have found. There is no server hello after client hello and I suggest to drill into "CApath: none".
Where it doesn't work from, is it over a terminal too via commands, or web browsers? Something to do with the certs seems off.