Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Issue on WAN filter
« previous
next »
Print
Pages: [
1
]
Author
Topic: Issue on WAN filter (Read 7580 times)
Ludovik
Newbie
Posts: 2
Karma: 0
Issue on WAN filter
«
on:
July 27, 2016, 10:57:40 pm »
Hi All,
I have the following issue on all 3 opnsense version that I installed: 16.1.20 , 16.1.8 , 16.7-RC2.
Enviroment:
VM with 2 interfaces on VMware Workstation 11.
em0 interface is bridged with eth0 of my PC, connected to my home router.
em1 interface is an isolated one on the VMware
Configuration:
em0 -> WAN -> DHCP Assigned Address -> 192.168.0.116 (GW: 192.168.0.1 <- my home router)
em1 -> LAN -> Static IP -> 10.10.5.1/24 with a DHCP Server with range 10.10.5.200-220
I add the firewall rule on WAN
Protocol: any
Src: any
Dst: any
Action: pass
From my router (192.168.0.1) I'm unable to ping WAN (192.168.0.116).
From another PC (192.168.0.22) I'm unable to ping WAN (192.168.0.116)
From WAN I'm able to ping my router and other PC in subnet.
I unchecked "block rfc1918" and "block logon network", tried to put a more specific rule for ICMP on WAN and rebooted VM, but nothing changed.
With Pfsense the same configuration in the same enviroment, works as expected, replying to ICMP, so it cannot be the enviroment.
It seems that there's something wrong on the outgoing rules of WAN pf.
Looking tcpdump inside opnsense I'm seeing ICMP request and reply, but it doesn't leave the WAN interface.
Obviously It works when I manually disable pf.
This issue affect every packet sent to the WAN interface, not only icmp.
Here you can find
opnsense /tmp/rules.debug file
http://pastebin.com/eHcCMX7k
pfsense /tmp/rules.debug file
http://pastebin.com/u4xi1Wvk
and opnsense backup configuration
http://pastebin.com/n2SYKpvb
Is there someone that already find this issue or is there something I'm not doing on the right way?
Thanks in advance.
«
Last Edit: July 28, 2016, 12:30:02 am by Ludovik
»
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Issue on WAN filter
«
Reply #1 on:
July 28, 2016, 05:56:34 am »
As you can see from my thread
https://forum.opnsense.org/index.php?topic=3372.0
I had a similar issue.
However, I was able to make ICMP packets work by doing as you did, disabling the RFC1918 block and inserting the proper firewall rule to allow IPv4 ICMP protocol packets on the WAN interface. I'm not sure why it isn't working in your case.
In any event, it seems from your post, mine, and several others I've found in search that there is some sort of issue with opnsense when used in a VM and behind another router, and thus interacting with private networks on both sides. I should have just turned the NAT off and operated in pure firewall mode since there wasn't actually any need of the NAT in the first place, but I've already moved on to another product to get my lab VM operational.
I guess pfSense is using different defaults, or subtlely different configuration that doesn't allow users to misconfigure the router in these circumstances? No idea.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Issue on WAN filter