OPNsense Forum
English Forums => General Discussion => Topic started by: DualBoot on July 10, 2018, 12:09:46 am
-
Hello Team,
I reached to install OpnSense on a proxmox virtualization station.
To keep the thing simple I use Network Intel Interface and set 2 interfaces :
- em0 with a public IP bound to vmbr0 which is the public bridge
- em1 with a private IP bound to vmbr1 which is a dummy interface in Proxmox context
Adding extended gateway in the webui ease the setting of the firewall. So my Gateway has different public IP from em0 .
Everything seems to run accordingly to what I want but I have something that I can not understand : why do I need to use a floating rule to block all outgoing traffic ?
All my rules are actually set on the Wan interface to allow ingoing traffic , the in system default rule on this interface is to block all incoming traffic. But at the opposite all outgoing traffic is allow on this interface and if I set up a rule to block all outgoing interface, it does not work and I get this message in the live view : let out anything from firewall host itself
So I read that floating rule is evaluate first and allow to spread, for what I understand, the policy on all interface. I could block all outgoing traffic by setting a floating rule but I would know why this works like that ? Why I can not set a deny all policy directly on the WAN interface ?
Thank you for the job, regards,
DualBoot
-
The traffic you are describing as 'outgoing' is actually coming into the router through which interface? Try setting your block (or preferably 'reject') rules on that interface instead e.g. the LAN interface.