Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: tomclewes on March 24, 2020, 09:06:46 PM

Title: No option to setup rule for LAN > WAN
Post by: tomclewes on March 24, 2020, 09:06:46 PM
Setup:
1. Virtualised OPNsense  router
2. Version = 20.1.3-i386
3. Sat behind a router so has a private IP for it's WAN address

Either i'm being absolutely blind or firewall creation is not as intuitive as it could be.

I have a virtualised OPNsense router for my lab at home which is sat behind my ISP router. The ISP router does the routing to the WWW and the OPNsense router has a private IP for it's WAN address.

Clients are able to access the internet when I set the destination as '*' - e.g. on LAN interface. Obviously this also grants 'Any' access to other vlans / interfaces I have setup.

Looking online I see various conflicting advice with most people advising to just use '*' which is wrong and shocking that people think that this is the answer.

Initial thoughts was to use the WAN Net or WAN Address alias's but from looking online this only permits to either the WAN address of the OPNsense or the WAN Network (e.g. WAN Network subnet).

On pretty much all other firewalls, you would create a LAN > WAN > HTTPS > ANY (From Zone > To Zone > Service > Destination) rule. Unfortunately this logic does not seem to apply on OPNsense.

As a temporary measure I have put the (*) rule in place to grant internet access but I would like this locked down.

I have tried playing with the direction setting on both the LAN and the WAN interface firewall rules but can not get the correct behaviour.

I have looked across various forums but have not had much luck but have found that people have done the following:

Create an alias of private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), set that alias as the destination in the firewall then invert the destination

The above seems clunky and is surely not the solution that the developers intended for us to use.

Does anyone know what the 'best practice' rule should look like to permit  LAN > WAN > HTTPS > ANY (From Zone > To Zone > Service > Destination) without giving access to everything else with the dreaded (*)

Thank you in advance  :D
Title: Re: No option to setup rule for LAN > WAN
Post by: johnsmi on March 24, 2020, 09:51:46 PM
Quote from: tomclewes on March 24, 2020, 09:06:46 PM
Create an alias of private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), set that alias as the destination in the firewall then invert the destination

The above seems clunky and is surely not the solution that the developers intended for us to use.
I'm not sure. It makes perfectly sense, why should developers intend something different?



What's the problem with "allow from LAN to NOT-local ..."? "Internet" is "NOT-local". WAN is usually "Internet", with doubleNAT WAN is "Internet + some local net".

Instead of
Code Select
allow "NOT rfc1918" https

You could use
Code Select
block rfc1918
allow any https




If you need acces to WAN/DMZ/...
Code Select
allow 192.168.123.0/24 https
block rfc1918
allow any https


Text only | Text with Images