OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: Smack2k on June 18, 2019, 02:20:49 pm
-
Looking for some assistance on best way to go about this
I have several VLAN Interfaces setup on my OpnSense FW / Router. One of the VLANs is blocked from allowing any traffic out or in, so only traffic within the VLAN is permitted (older Windows 9X / DOS / etc machines in a Retro VLAN). I need to allow just the IP of my NT Server in that VLAN to access DNS from a single IP on another VLAN and also allow the same IP of my NT Server to access File Sharing from a single IP on another VLAN.
Not sure the best way to set this up and get it working....any help is appreciated....
-
I'll take a swing, but I'd bet a lot of money there are better ways to do it...
For the DNS issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN.
On the DNS Vlan firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your DNS VLAN.
For the File Transfer issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN. It can be above or below the DNS rule, it just has to be above the Deny rules.
On the File Transfer VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your File Transfer VLAN.
Discussion point: I'm not certain about the directions. I'm suspicious that the 'state' of a connection overrides the need of the "direction = both". Meaning, if the NT server requests dns services on a 'direction = outbound', then the fact that there was an allowed connected will tell the firewall to allow the return message. If that's true, it would be more secure. If the DNS server is compromised... 'direction: both' means the DNS can attack. 'direction: outbound' equals the firewall stopping a DNS service based attack. And please let me know if I was wrong/right.
Also, if the file transfer will ever initiate from the File server, you might have to build a 'send' and 'receive' rule on both VLANs to allow that, with the File server set as source and the NT server set as destination. And now that I've offended the real security experts with my ignorance, I'll shut up. Good luck!
Regards!
-
Thank you...i am going to give this a shot and will report the results.