Opnsense rules for relay server

MartinSV80 · February 20, 2023, 10:49pm

All,

I’m running a public relay server in the following setup.

A custom Opnsense box is acting as firewall/router/gateway/dhcp server to my WAN connection. My internal network consists of two VLAN’s: DMZ and Internal. In the DMZ I have a raspberry pi that runs DietPi. The Pi runs the syncthing relay service on ports 22067 and 22070. The IP-Address of the pi is 192.168.20.2.

All traffic from my internal network to the internet is allowed. I only use IPv4, both internal and on the WAN connection.

In Opnsense I have added two port forward rules, forwarding port 22067 and 22070 from the WAN address to the same ports on the Pi.

This seems to work at first sight, but when I was reviewing my firewall logs I noticed that a lot of traffic from 192.168.20.2:22067 to : was blocked by a rule labelled ‘Default deny / state violation rule’.

Question 1: what kind of traffic is this?

Question 2: I think this issue might be related to the state table that the firewall uses to keep track of connections. This assumption is based on this discussion:

and the state type option:

https://docs.opnsense.org/manual/firewall.html#advanced

The solution that eventually worked out was creating one single additional floating rule:

Action: pass
interface: DMZ
Direction: in
Source: pi
Source port: 22067
Destination: any, any port
Advanced options - State type: none

Question 3: is this the proper way to solve the issue?

calmh · February 21, 2023, 9:52am

The relay server just takes regular incoming TCP connections; I have no idea what traffic you’re seeing blocked or what the problem with state would be. This seems like an OPNSense question.

MartinSV80 · February 21, 2023, 9:16pm

Thanks for your quick reply, I’ll check the opnsense forum as well!

klisza1993 · February 22, 2023, 8:37am

How did you setup public relay for everyone? What spurce did you use? Or you just simply run regular gui Dyncthing and forrwarded port? I did the same but i cant see my relay at official map https://relays.syncthing.net/

er-pa · February 22, 2023, 8:44am

This doesn’t sound so great.

Please read the documentation as to how to set up a public relay and how to announce your relay to a public pool. Syncthing Relay Server — Syncthing documentation

If you’re not entirely sure what you’re doing, at the very least don’t port-forward to a regular Syncthing instance’s gui.

klisza1993 · February 22, 2023, 8:57am

Dont worry, im aware of public facing assets. So its mot that im blindly forrward without any wonders. Ive found an official solution, but im looking for Docker-compose. Its much reliable to install etc And ofcourse im will not expose gui…

MartinSV80 · February 22, 2023, 9:47pm

@klisza1993 I added the apt repository (Syncthing | Downloads) to my dietpi install and from there installed the relay server by using apt-get install syncthing-relaysrv. It currently installs version 1.22.1.

Docker container is available at dockerhub, but 1.18.6 is the latest version available and over a year old. I suggest not to use it for security reasons.

You have to forward both ports: 22067 and 22070. The latter is only used for showing the statistics on the public relay webpage. If you don’t forward it, the relay exists but information is not published there.

I have created the following topic on the opnsense forum: Syncthing relay traffic out blocked?

system · March 24, 2023, 9:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.