Totally Stumped...firewall rules not working

Started by troycarpenter, August 16, 2016, 04:41:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 16, 2016, 04:41:06 PM
This has got to be my fault.  I have tried a clean install both in a VM and on bare metal with no change in behavior.  I will also note that I have used OPNsense in the past about a year ago, but eventually tried another product.  Now I'm back to evaluation OPNsense with the latest version.

My setup is that the WAN port of the firewall is connected to my local network and is getting valid DHCP information.  I have turned off blocking private and bogon networks.  The LAN port has an address of 192.168.1.1 and has DHCP active.

When I connect a client to the LAN port, it gets an IP address and appears to be able to surf correctly.  I can open the OPNsense webgui and configure the firewall.

My problem is that I can't get any incoming firewall rules to work.  For instance, I've tried to turn on https access from the WAN port, but I can't reach the webgui from the WAN port.  The rule I create is in Firewall->Rules->WAN.  (proto,source,port,dest,port,gw) = (ipv4TCP,*,*,WAN address,443,*). 

I then tried a simple forward rule to a service running on the client computer.  I created the NAT rule, which also created the firewall rule, but again nothing seems to reach the client computer.  The logs seemto imply that the rule was hit and the packet was accepted.  The port forward rule in this case is to forward port 8080 on the WAN address to port 80 on the client computer. 

IF I do a factory reset and only set up the WAN port, then the rules are created to allow http/s access on the WAN. However, as soon as I add the LAN port, that functionality goes away.

I also have a firewall backup from my previous testing attempt, but this version complains about some of the entries, and when I finally got it to load, the system hung.

Given that this is very basic functionality, and that nobody else has mentioned this problem, it's got to be all me.  Please help.
August 16, 2016, 07:44:26 PM #1
Hi,

I think your config is quite well. We discussed this in the German part of the forum. Opnsense sends all answers to the upstream gateway on the WAN side. So, if you connect the WAN interface of the opnsense to your LAN, you will see that your LAN gateway (= upstream gateway for the firewall) will receive all answers, which should go to your LAN PC from which you send ping / https ...

Regards
Uwe
August 17, 2016, 08:35:10 AM #2
Quote
The rule I create is in Firewall->Rules->WAN.  (proto,source,port,dest,port,gw) = (ipv4TCP,*,*,WAN address,443,*).

In my config I see "This Firewall" instead of "WAN address". Would you give it a try?
August 17, 2016, 11:33:57 AM #3
WAN adress should be part of "This firewall", as "This firewall" is an allias for IPs on all interfaces of the opnsensee...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
August 17, 2016, 03:50:54 PM #4
I've tried both of those, but still nothing.

Also, earlier in the testing I set a floating rule to allow everything, which worked at the time, but since then I've done a reset to defaults.  I just tried the same floating rule and it didn't work.  Still stumped.
Print
Go Up Pages1
User actions