Inbound permit on WAN not working when on same network

[Patrick M. Hausen]

Hi all,

now I've been hacking OPNsense for quite a while and I thought I understood the product quite well, but I must be missing something.

WAN
From: any
To: WAN addess
Destination Port: 22

Does not work if the PC I use to access the firewall is connected to the WAN network - a regular /24, firewall getting its address and other configuration via DHCP. Access from *remote* outside the WAN network works!

What's going on?

Thanks,
Patrick

[Maurice]

Set reply-to to disable. Popular trap for young (and veteran) players.

Cheers
Maurice

[Patrick M. Hausen]

That alone still does not help.

[Maurice]

I feel a bit silly asking you the obvious questions...
Is the WAN network RFC1918? If yes, "Block private networks" is disabled?

Where does it fail? Inbound packets get blocked?

[newsense]

Interfaces - WAN - uncheck Block Private Networks ?

[Patrick M. Hausen]

Interfaces - WAN - uncheck Block Private Networks ?

Possibly I'm an idiot - will check after my current bhyve users video call.  Thanks!

[Patrick M. Hausen]

Still no banana ...

I disabled reply-to and "force local services to use the assigned gateway" in Firewall > Settings > Advanced and "block private addresses" on the WAN interface. I also disabled the default anti lock-out rule, because I prefer explicit rules. That should still work, right?

My firewall is 192.168.1.15 on WAN and my Mac 192.168.1.162 - after `pfctl -d` on the console I can connect and tweak things, as soon as I apply firewall rule changes or manually `pfctl -e` I am locked out again.

Here's the current rules - WAN is ix1:

Code: [Select]

$ cat rules.txt
scrub on ix0 all fragment reassemble
scrub on ix1 all fragment reassemble
block drop in log on ! ix0 inet from 192.168.6.0/24 to any
block drop in log inet from 192.168.6.1 to any
block drop in log on ! ix1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.15 to any
block drop in log on ix1 inet6 from fe80::3eec:efff:fe00:5433 to any
block drop in log inet all label "ecd3a310894625657c6591b80daa956a"
block drop in log inet6 all label "ecd3a310894625657c6591b80daa956a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "d48c044e752b748fd490586fd860174a"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "d48c044e752b748fd490586fd860174a"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "4ad3ddb3010f48c55925efd7554280f8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "75aa39319a79eacae0e7bb415a335c7e"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "7f54eee227ed7d31e48c19de367a6925"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "83803d04942547f2580789b2717ffd94"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "83803d04942547f2580789b2717ffd94"
block drop in log quick inet proto tcp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet proto udp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet6 proto tcp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet6 proto udp from any port = 0 to any label "ed7ef708f73b994b3c4cf9950250b207"
block drop in log quick inet proto tcp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet proto udp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet6 proto tcp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
block drop in log quick inet6 proto udp from any to any port = 0 label "53cfff739f3e1e6611f859d04d6ab7d9"
pass log quick inet6 proto carp from any to ff02::12 keep state label "e87d088409bb245daacc65e79879e444"
pass log quick inet proto carp from any to 224.0.0.18 keep state label "6f961877d17b693d638b0bcac18e888c"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "7f677186b656aba15284e68ad3b299b5"
block drop in log quick proto tcp from <sshlockout> to (self) port = https label "f93d000e206ee62182eadb30608a0242"
block drop in log quick from <virusprot> to any label "8633cbd455dae5aa32e1dd4fbdf7521e"
pass in log quick on ix0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "d05a2aec01ebd7397c01031b625c2110"
pass in log quick on ix0 proto udp from any port = bootpc to (self) port = bootps keep state label "46061a043e5d9a3ea45c88e3a2ab898e"
pass out log quick on ix0 proto udp from (self) port = bootps to any port = bootpc keep state label "4ed554accad6221130c3cea68ebcb84e"
block drop in log quick on ix1 inet from <bogons> to any label "9feb1ff22602ce7fa249ca38a748a8d6"
block drop in log quick on ix1 inet6 from <bogonsv6> to any label "730b04035be750d29de5c32523480cf5"
pass in quick on lo0 all no state label "edf9ee5a7850bb473d6524034fd3a946"
pass out log all flags S/SA keep state allow-opts label "1232f88e5fac29a32501e3f051020cac"
pass in quick inet proto icmp all icmp-type echoreq keep state label "378df093835c57bf0aee5667d5b015cb"
pass in quick inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "fa97fa36c035bc80096f8bdbd0c76174"
pass in quick on ix1 inet proto tcp from any to (ix1) port = ssh flags S/SA keep state label "267b27f26828b478f2347df6c585e3e7"
pass in quick on ix1 inet proto tcp from any to (ix1) port = https flags S/SA keep state label "267b27f26828b478f2347df6c585e3e7"
pass in quick on ix0 inet all flags S/SA keep state label "18e7a1e302646cc2b1bc8f86917e8942"
pass in quick on ix0 inet6 all flags S/SA keep state label "ac07e525edec46c80498203084301d05"


[cookiemonster]

Someone has taken over Patrick's account
p.s. on a more serious note, I'd like your advice on a post I'm about to make, regarding VLAN tags.
You'll crack this one soon. Some setting you forgot somewhere.

[Patrick M. Hausen]

Essentially I want to set up a small lab scenario with an OPNsense virtualised on TrueNAS CORE and TrueNAS using that OPNsense ... possibly I should just hook up my Mac to LAN and work from there ... 

This little box here is doing fantastic, BTW.

4 core Atom 3558, 16 GB of ECC memory, 2 SATA DOMs for the boot pool, 2 1TB SSDs for storage. 4 Gbit interfaces, two of which are passed via PCIe into the OPNsense VM so firewall is really separated from everything else.

Yeah, I guess I'll just rewire because the use case will be TN and my laptop and possibly more systems all on LAN and WAN hooked up to some public network.

[newsense]

Ah, it's This Firewall not WAN address.

The disabling of reply-to I prefer to do it on the exception rule and not globally.

The RFC 1918 blocking also needs to be disabled on WAN interface.

[Patrick M. Hausen]

Too late now but whenever I encounter that problem again I will hopefully at least remember to look for this thread.

This is what the end result looks and works like:

Code: [Select]

                         TrueNAS CORE                 
        ┌────────────────────────────────────────────┐
        │                                            │
        │                           OPNsense VM      │
        │       ┌ ─ ─ ─ ─ ─ ┐   ┌──────────────────┐ │
        │    ┌───────────┐      │                  │ │
        │ ┌──┴────────┐  │  │   │  LAN        WAN  │ │
        │ │           │  │      │┌─────┐    ┌─────┐│ │
        │ │ VMs/jails │  │  │   ││ ix0 │    │ ix1 ││ │
        │ │           │  ├ ─    │└─────┘    └─────┘│ │
        │ │           ├──┘      │   ▲          ▲   │ │
        │ └────────┬──┘         └───┼──────────┼───┘ │
        │          │                │          │     │
        │          │                │   PCIe   │     │
        │          │                │   pass   │     │
        │ ┌────────┴─────────┐      │   thru   │     │
        │ │                  │      │          │     │
        │ │     bridge0      │      │          │     │
┌────┐  │ │┌─────┐    ┌─────┐│   ┌──┴──┐    ┌──┴──┐  │
│IPMI├──┼─┼┤ ix0 │    │ ix1 ││   │ ix2 │    │ ix3 │  │
└────┘  │ │└──┬──┘    └──┬──┘│   └──┬──┘    └──┬──┘  │
        │ └───┼──────────┼───┘      │          │     │
        └─────┼──────────┼──────────┼──────────┼─────┘
              │          │          │          │     
              ▼          └──────────┘          ▼     
                                                     
          to laptop                        to uplink