[solved] Access Firewall from WAN-Side blocked (complex setup)

[xj9]

Hi,

I try to get Access to the OPNSense-GUI on the WAN-Interface. But the access is blocked. At the moment i'm accessing the OPNSense-GUI via Wireguard - Connection. I need the the access via WAN-Interface temporarily because of changes I want to accomplish next time.

OPNSense-Version: 23.7.12_5-amd64
OPNSense GUI HTTP-Port: 444

I have the following setup:

Code Select Expand


(Internet)
  |
  |
[proxmox-ve-host] (public ip)
  |
  |
[opnsense-virtualmachine] (WAN-IP: 10.10.0.1)


The Traffic is redirected to the OPNSense via NAT at the proxmox-ve-host (except Packages with DST Ports 8006 (=Proxmox-VE Management Web-GUI), 22 (SSH to Proxmox)

Code Select Expand


proxmox # iptables -t nat -L -v n
...
Chain PREROUTING (policy ACCEPT 17955 packets, 1182K bytes)
pkts bytes target     prot opt in     out     source               destination         
6931  309K DNAT       6    --  enp0s31f6 *       0.0.0.0/0            0.0.0.0/0            multiport dports  !22,8006 to:10.10.0.1
...
Chain POSTROUTING (policy ACCEPT 50314 packets, 3312K bytes)
pkts bytes target     prot opt in     out     source               destination         
4896  369K MASQUERADE  0    --  *      enp0s31f6  10.10.0.0/31         0.0.0.0/0   


When I try to acces the OPNSense-GUI I have the following log entries within the plain filter log:

Code Select Expand


15,,,02f4bab031b57d1e30553ce08e0ec131,vtnet0,match,block,in,4,0x0,,53,5567,0,DF,6,tcp,60,151.189.142.234,10.10.0.1,54880,444,0,S,861491563,,64240,,mss;sackOK;TS;nop;wscale


I understand that the rule number 15 blocked access the access. When I'm looking at the packet filter rule list to examine rule #15:

Code Select Expand



pfctl -vvsr | grep '@15' -A1

@15 block drop in log inet all label "abcedf21424..."
  [ Evaluations: 85 Packets 91 Bytes 4312 ]


This seems to be the default drop rule at the end.

I have further inserted and applied two other rules via OPNSense GUI at the Firewall / Rules / WAN Page:

• IPv4 / TCP / DST Port 444 allow dst: all (quick match enabled)
• IPv4 / TCP / DST Port 444 allow dst wan-address (quick match enabled)

Screenshot of those two rules:



When I examine the rule list on the OPNSense via pfctl, there's no rule shown with a port 444:

Code Select Expand


# pfctl -vvsr >myrules
# grep 444 myrules
(no output)


I checked the logs (system -> general log) after applying the rules. There are no error messages.

Are the two rules really missing?
Why are my rules missing?
What maybe the problem here?

[cookiemonster]

could it be possible you forgot to click on "Apply" after adding the rule? I've seen it happen.

[xj9]

could it be possible you forgot to click on "Apply" after adding the rule? I've seen it happen.

Happens to me quite often. :)

But here and now: No. I at least deleted and applied the rule thrice. (I just tried again with no success).

[cookiemonster]

OK. I'm not as familiar on pf as iptables so can't tell how to find your rules but if you want to focus on "fixing" it, please post your rules on the relevant interface.
Remember if your OPN WAN is a private address, you need to disable the default block "Block private networks" (can't tell if your masquerading to a private one).

[xj9]

OK. I'm not as familiar on pf as iptables so can't tell how to find your rules but if you want to focus on "fixing" it, please post your rules on the relevant interface.

On the proxmox host. there's only two rules for allowing and blocking access to proxmox monitoring (filtered that out in my first post for simplicity). Everything else is accepted and forwarded to the opnsense. (Since Traffic arrives at the OPNSense, Proxmox iptables should not be the problematic part.).

Remember if your OPN WAN is a private address, you need to disable the default block "Block private networks" (can't tell if your masquerading to a private one).

That was still enabled. Thanks. I disabled "filter private networks" now and "disable bogon networks" temporarily too now. (Situation did not change after applying. )

I also changed Listen-Interfaces on System -> Administration to use all interfaces now. (Situation did not change after applying.)

These are all rules for the WAN-Interface:

--- Screenshot deleted ---

I found the two rules for port 444. pfctl prints port alias names (from /etc/services?) instead of numbers.

(Please Ignore the IPv6 stuff)

[xj9]

I found the solution:

I had to add another NAT-Rule:

Code Select Expand

[public-ip:444] --> [10.10.0.1:444]

(Very Strange. The log entry in the first post showed the target ip address was already there.)