Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Difficulty with DMZ traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Difficulty with DMZ traffic (Read 145 times)
SuperModerate
Newbie
Posts: 2
Karma: 0
Difficulty with DMZ traffic
«
on:
November 13, 2024, 03:59:08 am »
Hey everyone, I've been agonising over this for a couple of days now, hoping someone here can help me out.
I am trying to setup a couple of opnsense firewalls to create a secure internal network and DMZ environment. The layout would be `Internet` -> `FW1` -> `DMZ` -> `FW2` -> `Internal Network`.
Eventually I would like to get physical devices for these firewalls but for now they are just running as VMs in Proxmox. Relevant network details:
- Proxmox host IP `192.168.50.31`
- FW1 VM (In DMZ) LAN IP: `192.168.51.100`
- FW2 VM (In Internal Network) LAN IP: `192.168.50.100`
- FW2 VM WAN IP: `192.168.51.101`
- Proxmox physical interfaces: `eno1` (1Gbps), `enp5s0` (2.5Gbps)
- Proxmox virtual interfaces:
- `vmbr0` (Linux bridge to enp5s0) used for the Internal Network - mapped to FW2 LAN interface
- `vmbr1` used for the DMZ - mapped to FW2 WAN interface and FW1 LAN interface
- `vmbr3` - (Linux bridge to eno1) - passed to FW1, unused at the moment but eventually will be connected to the WAN interface to access internet.
- FW2 WAN interface (`192.168.51.101`) gateway set to FW1 LAN interface (`192.168.51.100`).
- "Block private networks" unchecked on all interfaces on both FWs (will reenable where relevant once this issue is resolved)
- NAT disabled on FW2
When I try to ping FW1 (`192.168.51.100`) from a machine on the `192.168.50.0/24` network, the ping manages to get through FW2 and to FW1 but FW1 drops it due to the "Default deny / state violaiton" rule. I am struggling to determine why this rule is matching, my understanding is that just about everything coming in and then out of the LAN should be allowed by default.
At first I thought that this was something like asymmetric routing causing issues. To diagnose this I tried to disable packet filtering entirely on FW1 to check packets take the same route back to host pinging the FW. Unfortunately `traceroute` only shows the first hop (to FW2 LAN interface `192.168.50.100`), after that I just get (`* * *`). In lieu of this I just checked the routing table and FW1 definitely sends traffic destined for `192.168.50.0/24` to `192.168.51.101` which seems correct.
I should also mention that I am having trouble capturing packets which is making diagnoses a little more difficult. I'm not sure if I'm just using the tool wrong or what but when I set up a packet capture and send a ping that definitely travels through the interface, nothing shows up in the console.
Apologies for the kinda long winded post, I wanted to get all the details that might be relevant in. Does anyone have any idea what the cause of this could be or how I can resolve? Or even how I can take further steps to diagnose because I'm at a bit of a loss.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Difficulty with DMZ traffic
«
Reply #1 on:
November 13, 2024, 08:32:58 am »
Any reason why you wouldn't make your DMZ one-armed? I.e. with one firewall having the DMZ on a separate (VLAN) interface.
Routing tends to get a bit messy with two firewalls
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1604
Karma: 176
Re: Difficulty with DMZ traffic
«
Reply #2 on:
November 13, 2024, 09:07:42 am »
You can look at dynamic routing protocols to make routing between multiple routers less of a hazzle since it automates it.
E.g. for simple networks using RIP could solve this with the os-frr plugin:
https://docs.opnsense.org/manual/dynamic_routing.html#rip-section
https://docs.opnsense.org/manual/how-tos/dynamic_routing_rip.html#setup-rip-between-routers
«
Last Edit: November 13, 2024, 09:10:27 am by Monviech (Cedrik)
»
Logged
Hardware:
DEC740
SuperModerate
Newbie
Posts: 2
Karma: 0
Re: Difficulty with DMZ traffic
«
Reply #3 on:
November 14, 2024, 01:01:27 am »
Thanks for the replies team!
I was originally turned off VLANs because I was told they could add unnecessary complications but it looks like I may have done that by avoiding them
I’ll have a look at both VLANs and RIP, this should be enough to get me unblocked, thanks!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Difficulty with DMZ traffic