I have set up DMZ with two Lenovo Tiny PCs. One running OPNSense (Outer Firewall) and OpenWRT (Inner Firewall. On my notebook I can ping all IP address for both interfaces of both FW's (IE Private side and Public side of FW) However when I try to ping the WAN Gateway I get 100% packet loss. However, if I remove OpenWRT and connect to the private side of the OPNSense I can surf the net all day long.
Second, with OpenWRT connected I am un able to load the OPNSense web interface using the private side IP.
Anybody have any idea how to resolve both of these issues? Image added for clarity.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
root@IFW:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "IFW",
"system": "Intel(R) Core(TM) i5-8600T CPU @ 2.30GHz",
"model": "LENOVO 10RRS0TD00",
"board_name": "lenovo-10rrs0td00",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@IFW:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:082e:df18::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.107.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth1'
option proto 'static'
option gateway '10.0.107.1'
list ipaddr '10.0.107.2/24'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
root@IFW:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@IFW:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option dynamicdhcp '0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@IFW:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail SMTP'
option family 'ipv4'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.107.10'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail HTTP'
option family 'any'
option src 'wan'
option src_dport '80'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail HTTPS'
option family 'any'
option src 'wan'
option src_dport '443'
option dest_port '443'
When I reconnected the OpenWRT Firewall to run these commands I ran pings to each interface I was able to reach all the way to 50.x.x.110, I then tried to www.google.com and got response there as well so for what ever reason that issue has been resolved.
However I am still not able to connect to the OPNSense web interface when first going through OpenWRT to get there.
Some additional information about my network. I do not use my firewall / router for DHCP or DNS at least not on the private side. I will inside the DMZ. I also have WAPs
that I use for wireless access. In might use the wireless on at least on of the firewall / routers for smart devices (plugs, switches etc.)
I figured out what the issue is with accessing the OFW web interface. I was using Google Chrome and apparently it has some kind of issue with it that it won't load it. Fire Fox does so with no issue.
Edge apparently has an issue with it as well. If someone knows what the issue is, please let me know especially if you have a solution.
Chrome keeps adding the https even though I added :80 to the end of the IP address. I even went in to site settings and turned on allow insecure content and changed safe browsing settings to no protection
