OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • Firewall rules not working
« previous next »
  • Print
Pages: [1]

Author Topic: Firewall rules not working  (Read 6321 times)

Senjuu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Firewall rules not working
« on: March 08, 2019, 10:33:39 am »
I recently switched to OPNsense.
I now setup some firewall rules for LAN, but  they are not working as intended.

My rules are in this order

ActionProtokollSourcePortDestinationPortGatewayScheduleDescription
PassIPv4 TCP/UDPLAN net*Ali443*Allow Https of Ali
PassIPv4 TCP/UDPLAN net*Ali80*Allow Http of DMZ
RejectIPv4 *LAN net*DMZ net**Deny everything else in DMZ
PassIPv4 *LAN net****Allow Internet
PassIPv6 *LAN net****Allow Internet

"Ali" is an alias to an URI(IPs) within DMZ and DMZ is a third network interface.
The rules result in me being able to surf in the internat, but not acces the Web-Server running on "Ali".
But when I disable the third rule I am able to access the Web-Server running on "Ali".

Now I am not understanding where I am going wrong.
« Last Edit: March 08, 2019, 10:58:04 am by Senjuu »
Logged

RGijsen

  • Newbie
  • *
  • Posts: 24
  • Karma: 4
    • View Profile
Re: Firewall rules not working
« Reply #1 on: March 08, 2019, 10:44:57 am »
Check firewall --> log files --> live view, if you want setup a filter to your DNS address, and connect again. Then you'll see whether opnsense blocks or something else is wrong. Is the DMZ host actually using opnsense as a gateway to get the traffic back?
Logged

Senjuu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Firewall rules not working
« Reply #2 on: March 08, 2019, 10:56:26 am »
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.
« Last Edit: March 08, 2019, 11:04:22 am by Senjuu »
Logged

RGijsen

  • Newbie
  • *
  • Posts: 24
  • Karma: 4
    • View Profile
Re: Firewall rules not working
« Reply #3 on: March 08, 2019, 11:22:13 am »
Quote from: Senjuu on March 08, 2019, 10:56:26 am
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.

I just re-read your post, and I can't see you state DMZ can actually send back. For test, what happens if you replace the Ali alias with the actual IP? Please check in firewall --> diagnostics --> pftables and select the ALI alias. Check if there's actually any hosts in there. Just to be sure, did you put IP's or FQDN's in the alias?
Logged

Senjuu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Firewall rules not working
« Reply #4 on: March 08, 2019, 11:36:16 am »
In the alias I put the IP. In the pftables there was notinh in the "Ali" Alias. After I added the correct IP in the pftables the rules are now working.

But what type shall I select when adding an alias in Firewall => Alias, so that it is correctly added to the pftables.

« Last Edit: March 08, 2019, 11:39:24 am by Senjuu »
Logged

Senjuu

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Firewall rules not working
« Reply #5 on: March 08, 2019, 08:44:30 pm »
Through a coincidence I found which type of alias I should have used.

I should have used "Host(s)" instead of "URI(IP)".
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • Firewall rules not working
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2