Outgoing connections from LAN appear in log with source WAN interface address

[JohnnyBeee]

Hello.

I have a pretty basic OPNsense configuration (see attached pic).

My problem is that one type of outgoing connections from a PC on the LAN (to a socks proxy mainly, only used on that PC) appear in the log as from the firewall itself (with source IP 192.168.3.101). The label for these log entries is "let out anything from firewall host itself".
I cannot find a firewall rule with that description.

So I have 2 questions:
1) Why would these connection wrongly appear to come from the firewall?
2) Where is that rule "let out anything from firewall host itself" (and how can I avoid it clogging up my log)?

Thanks for any help.

[JohnnyBeee]

How strange that this question has inspired NOBODY...

[JohnnyBeee]

Is it that I am the only one experiencing this?
Or is everybody seeing this but nobody cares?

[franco]

"let out anything from firewall host itself" is an internal rule that indeed allows traffic of local services (e.g. DNS, VPN, firmware updates) to connect to the internet. It's not falsely matching LAN traffic. But that may look like LAN traffic if you use a web proxy. 


Cheers,
Franco

[JohnnyBeee]

"let out anything from firewall host itself" is an internal rule that indeed allows traffic of local services (e.g. DNS, VPN, firmware updates) to connect to the internet. It's not falsely matching LAN traffic. But that may look like LAN traffic if you use a web proxy. 


Cheers,
Franco

Thanks for your reply.
Unfortunately this still remains unclear to me.

So this internal rule ("let out anything from firewall host itself") allows local services to connect to the internet.
Great. But the connections listed are not those of local services. Those are clearly connections from the LAN. I am not sure if I used the web proxy on OPNsense at the time, but even if I did, the only communications forwarded to the web proxy would have been HTTP connections on port 80, not connections to socks proxies on wholly different ports.
How could these connections show as emanating from the WAN interface?

[franco]

Can you share the relevant logs to complement your question?

[JohnnyBeee]

Can you share the relevant logs to complement your question?

Unfortunately some time has passed since my ticket submission and I had to reinstall the firewall.
Today I no longer get those message.

I was trying to understand what could have gotten wrong / I could have misconfigured in the past.

Thanks for your help.

[JohnnyBeee]

I was a bit hasty with my last reply.
While I don't see messages in the firewall log, I do get related messages in Suricata:

2018-08-16T14:27:44.195066+0200   allowed   wan   192.168.3.101   6256   85.159.237.208   1090   SURICATA STREAM TIMEWAIT ACK with wrong seq   
2018-08-16T14:26:52.854997+0200   allowed   wan   192.168.3.101   58169   85.159.237.208   1090   SURICATA STREAM CLOSEWAIT FIN out of window   
2018-08-16T14:25:14.962624+0200   allowed   wan   192.168.3.101   54187   85.159.237.208   1090   SURICATA STREAM excessive retransmissions   
2018-08-16T14:25:14.720111+0200   allowed   wan   192.168.3.101   17059   85.159.237.208   1090   SURICATA STREAM CLOSEWAIT FIN out of window   

All these connection come from a computer on the LAN - NOT the OPNsense box.

Why do I not see the IP of the machine on the LAN?
 

[franco]

According to the log you've set Suricata to listen on WAN and it shows the IP after outbound NAT translation on the physical interface.

[JohnnyBeee]

Thank you.

That makes sense.

But how can I get the real originating IP in the log?

I tried to set Suricata to listen on WAN and LAN but strangely enough this somehow blocked all outgoing connections to WAN...
And if possible, I would also like to avoid double entries (1 for LAN a 1for WAN).
Having Suricata listen on the LAN interface/filter LAN connections just for that seems overkill too.
Is there a solution?

[franco]

There is a solution but you are not going to like it.

Basically what you want is a dedicated transparent appliances bridging "WAN" and "LAN" without NAT and listening with Suricata on it which you put between your LAN and the current OPNsense box doing NAT so you have a clear view on your LAN and no NAT involved.

But this kind of mimics running Suricata on LAN on your present box which means traffic blocked means Suricata is not properly tweaked for the network at hand just yet.


Cheers,
Franco