OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Upgrade from 16.7.14: Firewall rules doesn't works as before
« previous next »
  • Print
Pages: 1 2 3 [4] 5

Author Topic: Upgrade from 16.7.14: Firewall rules doesn't works as before  (Read 30285 times)

lordwarlock

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #45 on: February 28, 2017, 04:49:16 pm »
just tried Setting

""Use shared forwarding between packet filter, traffic shaper and captive portal"."

reactivates Workarround 

sysctl net.inet.ipsec.filtertunnel=1
Logged

sln

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #46 on: March 19, 2017, 08:41:38 pm »
Hi,

is there any news on this? I'm using 17.1.3 and still have problems with IPSEC traffic being blocked by the firewall. Is there any workaround (except for possibly creating a hole in the fw by allowing bogus IPs on WAN)?
Logged

djGrrr

  • Full Member
  • ***
  • Posts: 112
  • Karma: 22
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #47 on: March 20, 2017, 03:04:17 am »
Quote from: sln on March 19, 2017, 08:41:38 pm
Hi,

is there any news on this? I'm using 17.1.3 and still have problems with IPSEC traffic being blocked by the firewall. Is there any workaround (except for possibly creating a hole in the fw by allowing bogus IPs on WAN)?

I would suggest checking out this thread with a test kernel to try:
https://forum.opnsense.org/index.php?topic=4804.0
Logged

sln

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #48 on: March 22, 2017, 12:18:16 pm »
Quote from: djGrrr on March 20, 2017, 03:04:17 am
I would suggest checking out this thread with a test kernel to try:
https://forum.opnsense.org/index.php?topic=4804.0
Thanks for the advise! Sadly this kernel doesn't fix the issue (at least for me) with IPsec traffic getting filtered by the firewall despite rules saying otherwise.
Logged

guest15510

  • Guest
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #49 on: March 22, 2017, 02:52:11 pm »
Quote from: sln on March 22, 2017, 12:18:16 pm
Quote from: djGrrr on March 20, 2017, 03:04:17 am
I would suggest checking out this thread with a test kernel to try:
https://forum.opnsense.org/index.php?topic=4804.0
Thanks for the advise! Sadly this kernel doesn't fix the issue (at least for me) with IPsec traffic getting filtered by the firewall despite rules saying otherwise.

Hey, tried this?
https://forum.opnsense.org/index.php?topic=4313.msg19025#msg19025

I'm currently updating my 12 FW's for my company and only this solution works for me.
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #50 on: May 17, 2017, 07:04:09 pm »
Hi all,

I have the same problem with 17.1.6.

00:00:00.000000 rule 88/0(match): pass in on igb2: 192.168.11.23.64782 > 172.18.210.10.443: Flags , seq 3434102374, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000080 rule 77/0(match): pass out on enc0: 192.168.11.23.64782 > 172.18.210.10.443: Flags , seq 3434102374, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.023806 rule 12/0(match): block in on enc0: 172.18.210.10.443 > 192.168.11.23.64782: Flags [S.], seq 4228346538, ack 3434102375, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:03.003031 rule 12/0(match): block in on enc0: 172.18.210.10.443 > 192.168.11.23.64782: Flags [S.], seq 4228346538, ack 3434102375, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:06.006306 rule 12/0(match): block in on enc0: 172.18.210.10.443 > 192.168.11.23.64782: Flags [S.], seq 4228346538, ack 3434102375, win 65535, options [mss 1460,nop,nop,sackOK], length 0
00:00:11.996356 rule 12/0(match): block in on enc0: 172.18.210.10.443 > 192.168.11.23.64782: Flags [R], seq 4228346539, win 0, length 0

I tried the floating roule but the issue persist. The ICMP working fine but TCP/UDP will be blocked by PF.


Regards,
Liberomic
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #51 on: May 18, 2017, 03:00:26 pm »
Hi All,

we have replicated the configurations on different site and the issue persist.
The difference between my office site to datacenter where the IPSEC workingfine and two branch office, the wan interfaces is NATed.

Regards,
Liberomic

   
 
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #52 on: May 18, 2017, 05:29:57 pm »
Hi Franco,

I have found this workaround, but would not be permanent (if I will change a firewall rules... restart the appliance... this rules will be deleted).

I have deleted this line from /tmp/rules.debug
block in  log inet from {any} to {any} label "Default deny rule"
block in  log inet6 from {any} to {any} label "Default deny rule"

I have added this line at the end of file  (all interface without IPSEC "enc0")

block in  log on $WAN inet from {any} to {any} label "Default deny rule"
block in  log on $WAN inet6 from {any} to {any} label "Default deny rule"
block in  log on $LAN inet from {any} to {any} label "Default deny rule"
block in  log on $LAN inet6 from {any} to {any} label "Default deny rule"

# pfctl -f /tmp/rules.debug

Do you have a solution for this PF issue?

Many thanks for your support.  :'( :'( :'(

Liberomic
« Last Edit: May 18, 2017, 06:04:04 pm by liberomic »
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #53 on: May 19, 2017, 05:22:21 pm »
Hi all,

I have checked in 17.1.7 and the issue persist.

Regards,
Liberomic
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13689
  • Karma: 1176
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #54 on: May 22, 2017, 08:14:26 am »
What's your rule on the IPsec tab? Isn't it easier to use any -> any there?
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #55 on: May 22, 2017, 10:45:16 am »
Hi Franco,

on IPSEC interface we have checked all combinations.

ANY--ANY--Accept
SurceVPN subnet--Local subnet--Accept

But the issue persist......

I have replicated the issue on different site and this issue will be replicable.

To clarify the issue I am writing network scheme, I have four site connected by IPSEC to central Office (HO).

- Office1 (opnsense) to Head Office: in this site working fine the wan interface of opnsense is Public IP
- Office2 (opnsense) to Head Office: I have WAN interface NATed and the inbound traffic will be blocked on enc0 interface
- Office3 (opnsense) to Head Office: I have WAN interface NATed and the inbound traffic will be blocked on enc0 interface

for Office2 and Office3 I have applyed my workaround for inbound traffic coming from Head Office, because without my workaround working only ICMP traffic and TCP/UDP will be blocked.

Note: on Office2 and Office3 I have enabled Nat Traversal and the router forward all ports to opnsense WAN interface. I have upgraded all opnsense to 17.1.7.

Thanks for your support
Liberomic
 




Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #56 on: May 29, 2017, 03:46:10 pm »
Hi All,

do you have news for this PF issue?

Regards,
Liberomic
Logged

opnsensebeb

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #57 on: June 05, 2017, 12:34:12 pm »
Hi,

i have the same issue, since 17.1.1 no Roules for IPSEC trigger (now actual 17.1.8). I try all the hints, but nothing works for me.

Is there any news about this topic?

Regars
Sven
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #58 on: June 05, 2017, 05:17:36 pm »
Hi All,

this issue is very bad, with my workaround the incoming traffic working fine....
But this change in the file /tmp/rules.debug will be lost, when you modify firewall rules or restart the appliance....

Regards,
Liberomic
Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
« Reply #59 on: June 26, 2017, 12:53:53 pm »
UP!

 ;) ;) ;)
Logged

  • Print
Pages: 1 2 3 [4] 5
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Upgrade from 16.7.14: Firewall rules doesn't works as before
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2