I recently switched to OPNsense.
I now setup some firewall rules for LAN, but they are not working as intended.
My rules are in this order
| Action | Protokoll | Source | Port | Destination | Port | Gateway | Schedule | Description |
| Pass | IPv4 TCP/UDP | LAN net | * | Ali | 443 | * | | Allow Https of Ali |
| Pass | IPv4 TCP/UDP | LAN net | * | Ali | 80 | * | | Allow Http of DMZ |
| Reject | IPv4 * | LAN net | * | DMZ net | * | * | | Deny everything else in DMZ |
| Pass | IPv4 * | LAN net | * | * | * | * | | Allow Internet |
| Pass | IPv6 * | LAN net | * | * | * | * | | Allow Internet |
"Ali" is an alias to an URI(IPs) within DMZ and DMZ is a third network interface.
The rules result in me being able to surf in the internat, but not acces the Web-Server running on "Ali".
But when I disable the third rule I am able to access the Web-Server running on "Ali".
Now I am not understanding where I am going wrong.
Check firewall --> log files --> live view, if you want setup a filter to your DNS address, and connect again. Then you'll see whether opnsense blocks or something else is wrong. Is the DMZ host actually using opnsense as a gateway to get the traffic back?
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.
When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.
Quote from: Senjuu on March 08, 2019, 10:56:26 AM
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.
When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.
I just re-read your post, and I can't see you state DMZ can actually send back. For test, what happens if you replace the Ali alias with the actual IP? Please check in firewall --> diagnostics --> pftables and select the ALI alias. Check if there's actually any hosts in there. Just to be sure, did you put IP's or FQDN's in the alias?
In the alias I put the IP. In the pftables there was notinh in the "Ali" Alias. After I added the correct IP in the pftables the rules are now working.
But what type shall I select when adding an alias in Firewall => Alias, so that it is correctly added to the pftables.
Through a coincidence I found which type of alias I should have used.
I should have used "Host(s)" instead of "URI(IP)".