Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Problem Routing Public IPs Ignoring FW Rules and Matching Defaults on Reboot
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problem Routing Public IPs Ignoring FW Rules and Matching Defaults on Reboot (Read 675 times)
foxpa.ws
Newbie
Posts: 6
Karma: 0
https://k-fox.net
Problem Routing Public IPs Ignoring FW Rules and Matching Defaults on Reboot
«
on:
January 01, 2024, 01:08:48 pm »
I'm having the most bizarre situation trying to route a class c subnet of public IPs. The conventional wisdom seems to be that all one needs to do to route public address space from the LAN side is to disable outbound NAT and create a default allow rule for traffic ingressing to the LAN-net. After running into this problem but not knowing the trigger the first time I had it working, before it all suddenly fell apart, I loaded my LAN and WAN interfaces with a half dozen permissive rules (specifying interface, not specifying interface (any) but specifying network, in, out, source, destination - in all combinations). When I tripped it the second time I could see in the firewall log that every single flow was running up against "Default deny / state violation rule" in spite of the dozen user-submitted rules that should have applied before landing at the top.
To make matters even more obnoxious the trigger seems to be making any modification to - and then saving - the Advanced Settings. Disable ipv6, enable syncookies, doesn't seem to matter. I haven't tried changing nothing and just hitting 'Save' but that's because I'm playing with a live, customer-used subnet and can't afford the downtime. But nothing immediately changes when I hit Save - traffic still flows fine. The issue arises upon the next reboot! No flows, even for a second, post-init. Everything hits numero uno, default deny. Interestingly, when the traffic is flowing, my user-added rules don't seem to make any difference either. I disabled and then deleted every single one of them, rolling the firewall back to default, as-new state with no ingress allow rule - only forward NAT having been disabled, and I have no problem surfing from the inside or hitting services from the outside.
Spookily enough, these flows all register "let out anything from firewall host itself" or less frequently "let out anything from firewall host itself (force gw)" as though NAT is still enabled. Yet when I check my public IP on whatismyip.com I get the correct, self-assigned public IP that my test box should have and again - no trouble hitting open ports inside the public subnet so there's definitely no NAT going on. Check out the attached screencap - weird, right? Those are public IPs on both sides of the fence matching a rule intended only for connections started by the OPNsense box itself and, according to some forum posts, when forward NAT is enabled (though I imagine in most cases that would be matched by a more appropriate downstream rule when properly configured).
When I trip the trigger and reboot the only way to recover routing is to re-run the setup wizard. Re-saving my interfaces and gateway doesn't cut it on its own and neither does retreating them to private (testing) subnets. This is a pretty unique problem and atypical configuration so, as expected, I haven't seen anyone else encounter anything similar. I would happily provide VM snapshots of my working config and the situation post-trigger for comparison if anyone experienced with the inner depths of OPNsense's firewall config and possibly web configurator would be willing to take a gander.
«
Last Edit: January 01, 2024, 01:16:43 pm by foxpa.ws
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Problem Routing Public IPs Ignoring FW Rules and Matching Defaults on Reboot