Communication between two LANs

[laterizi]

Hello everyone. I have a strange configuration (the customer told me how he wanted it) that i can't get to work as i would like.

He has a single gateway, a modem/router provided by the ISP, with internal address 192.168.64.1 and an OPNsense box with WAN interface 192.168.64.15.

This has two separate LAN interfaces, one with address 192.168.32.1 (LAN interface) and another with address 192.168.48.1 (OPT1 interface). For some strange reason, all PCs on the LAN must communicate with PCs on the OPT1 network and vice versa.

Right now, recently installed, OPNsense makes the PCs on the LAN OPT1 network communicate with those on the OPT1 LAN network, but those on the OPT1 LAN network do not communicate with those on the LAN OPT1 network. No further changes have been made.

It would be necessary to have the PCs on the OPT1 LAN network communicate with those on the LAN OPT1 network and, when desired, to be able to isolate the two networks quickly (which is strange, but so much is).

Can you help me with this?

Gianluca

[lilsense]

Make sure that under Firewall Rules for OPT1 you allow communication from the OPT1 net to everything or at least LAN net.

[laterizi]

Make sure that under Firewall Rules for OPT1 you allow communication from the OPT1 net to everything or at least LAN net.

[FullyBorked]

I don't mean this as harsh as it might sound, but are you sure they can't communicate?  How are you testing?  Are you sure local firewalls (i.e.,windows firewall) aren't blocking at the device level, that's caught me a few times?  What are you seeing in the live logs in OPNsense?

[tmueko]

Maybe you problem is

Firewall: Settings: Advanced: Disable reply-to

try to activate it.

[Vilhonator]

Disable windows / Mac / Linux firewall on 2 machines connected to both networks (1 network each), then try to send ICMP (ping) packet to eachother, if it works, then all is fine and culprit is the firewall of the OS on the machines in question.

If ping doesn't work, despite disabling firewall on both computers, make sure OpnSense has all as should (no firewall rules blocking anything etc.)

Backup everything, and hen add the local IP of the LAN interface of opnsense to gateways, then go to routes and add new route: Network is 192.168.0.0/16 and gateway is LAN

save changes and reboot opnsense, if you loose internet connection and can't connect to web gui of Opnsense, then revert back to backup you made, if not, then try to ping something on the different network.

If you aren't able to ping any computer belonging to a different network, there's either a firewall blocking it, or routing isn't configured properly (which is most likely the case, since by default, you have to manually create routes to each network other than LAN. 192.168.32.0 and 192.168.48.0 with subnet mask 255.255.255.0 belong to 192.168.0.0/16 netblock, so does your WAN, so you might loose connectivity in which case you have to assign different IP like 172.10.1.1 and 172.10.2.1 for LAN and OPT for simple routing and check the block both belong to to fix the issue)

[laterizi]

Maybe you problem is

Firewall: Settings: Advanced: Disable reply-to

try to activate it.

Has already been activated.

[laterizi]

How are you testing?

I tried pinging or connecting to a shared folder. The PCs do not respond to the ping, but they connect to the shared folders.

Are you sure local firewalls (i.e.,windows firewall) aren't blocking at the device level, that's caught me a few times?

The PCs' firewalls are temporarily disabled so as not to create interference.

[laterizi]

If ping doesn't work, despite disabling firewall on both computers, make sure OpnSense has all as should (no firewall rules blocking anything etc.)...

From what I have shown above it seems to be only a ping problem. As you can see, trying to connect to shared folders of the PCs on the other network, the PCs connect. At this point it really seems to be only a ping problem. For example, you can connect to an http server of one of the pc's on the other network:

[Vilhonator]

Seems that all is as should be.

It is good idea to block ICMP and network access to web gui and ssh of your opnsense firewall and any possible switches (basically to everything, network in question doesn't need access to), this adds another level of security to your network (without them, anyone can just access webgui or ssh on opnsense and try breaking things. Ping is bad idea to enable, becuase with it, people are able to find out any possible computers on any network etc. Ping on client side of things, is used to test if internet works, that's pretty much all)

[laterizi]

Seems that all is as should be.

Okay, it looks like it's just a big misunderstanding, everything seems to be working properly. But but it is still possible from the OPT1 network to ping any PC in the LAN, but not vice versa. I would like to understand how to enable or disable pinging between hosts on the two networks at my convenience. The rule below should block ping from the OPT1 network to the LAN, and instead it continues to work. What am I doing wrong?

[Vilhonator]

There are few ways you can do it. You will need static IPv4 or IPv6 address for the machine that you use to manage networks, preferably on the LAN network.




• Go to Firewall ---> Aliases and create new alias (click tiny + icon at the right side of the alias list)
  
  Give description to your alias (for example management)
  On Type choose host, and on Value type IP address of the machine you want to allow.
  
  After that, you can save and apply changes, then go to Firewall ---> Rules ---> OPT1 and add new rule.
  
  On action, choose pass, interface is OPT1 (should be there by default), TCP/IP version should be IPv4 (or which version your machine uses), Protocol is ICMP, ICMP type any, Source is name of the alias you just created, destination OPT1 Address.
  
  Enable logging, type appropriate description on the description field, Save, then move the new rule on top of the list (click the check box on the left side of the rule and then small arrow next to rule which is on the top) and click apply changes.
  
  Next clone rule you just made (can be found on the right side next to the rule), this time action is Block, source OPT1 net, Description again something that tells right away what is going on, then save and finally click apply changes

See if it works by pinging OPT1 address from management machine and any machine connected to OPT1 network, if Management is able to ping, but OPT1 isn't, it works


• Second way to do this, doesn't require IP or anything, you only have to create alias of ports 443, 22 and 80 and create similar block rule on OPT1 network, just protocol type is any, destination should be this firewall" and destination port should be port alias you created

This enables you to use ssh connection from management machine to opnsense and you can ping, traceroute, connect to etc to any machine on any network from there (this is why you should block ssh from any sources that you don't want to allow gaining access to firewall).

P.S. sorry for messed up answer ^^'

[Vilhonator]

If Pinging on the management machine doesn't work, make sure that you have "Log packets matched from the default block rules put in the ruleset" in System ---> Settings ---> Logging,  then go to Firewall ---> Log Files ---> Live view. You should see bunch of blocks coming in which is normal, note the interface, Source and Destination, these come important later.

then open command prompt on the management machine and type ping -t [ip address of OPT1] and see, if there's any logs on live view of opnsense, if nothing shows up blocking that nor allowing things from LAN interface to OPT1 Address, then I would try out creating a route, but would advice you to ask someone with more knowledge, since that would make things way too much work (whole firewall rule thing would have to be done to LAN network not to mention, and routing can bring more headaches as well)

If all works well, you can disable the "Log packets matched from the default block rules put in the ruleset" and firewall live log view only shows matched rules, which have logging enabled on firewall rules section.

[laterizi]

P.S. sorry for messed up answer ^^'

Vilhonator, are you kidding? :D Thank you very much for all the information you are giving me!!!

I read the solution you proposed, but I think I need something simpler: I just want to disable ping from OPT1 network hosts to LAN hosts and vice versa. Or enable it when it should be necessary. Nothing more. And the rule I have set doesn't work and I would like to know why...



Thanks again for everything!

Gianluca

[Vilhonator]

According to picture, your firewall rule is blocking all incoming ICMP traffic from OPT1 net to LAN net.

Disable the rule and test if things work as you want. If it works, and you don't mind about networks being able to ping any client etc. then you can leave it there and enable the block rule again.

If you don't want to allow ICMP to all clients between the two networks, then you have to create host alias, which contains all the IPs of your host machines you want allow the ping to, clone the block rule, change Block to pass  and switch destination to name of the alias you just created. After that save and move the new rule above the block rule and click apply changes.

Now everytime pass rule is active, all clients are able to ping only hosts which IPs are listed on the alias, when you disable the rule, pings to any host are being blocked.

Might sound complicated, but it's very simple really, the priority how firewall (by default) applies the rules goes from top to bottom, so you just need to make sure, that there aren't any blocking or allowing rules which conflict with eachother.

Aliases are GREAT way to ease up rule creation and portforwarding, without them, you would have to create a rule for each IP, port etc. separately, when you have to create port forwarding or firewall rule which contains specific IPs or ports.

https://docs.opnsense.org/manual/how-tos/edrop.html is gives you good idea what I mean xD