Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: Dragonfly on June 24, 2020, 07:08:43 PM

Title: In/out firewall rules misunderstanding
Post by: Dragonfly on June 24, 2020, 07:08:43 PM
Hello,

I'm busy partitioning my network into VLANs. I started by allowing all traffic between the VLANs and am now starting to pull up walls between them. I'll give a simple example as to the source of my confusion:

Say I have 2 VLANs: 10 and 20. Both are set up as normal LAN interface with their own subnet and DHCP enabled. The subnet is 10.10.10.0/24 and 10.10.20.0/24, respectively.

OPNsense hands out the proper IP and internet access works. I can also reach resources on all subnets, regardless of VLAN, so it's safe to assume I didn't misconfigure my switches (which are managed L2 only).

My confusion is here: what I want is to deny all traffic from VLAN 20 to VLAN 10. VLAN 10 is allowed to access VLAN 20, however.

So I figured I should make a top rule with the following specs:

QuoteAction: reject
Quick: true
Interface: vlan_10
Direction: In
Source: vlan_20 net
Destination: *

The rest is all default

However, I could still reach VLAN 10 from VLAN 20. I even tried changing source to *. And I set an opposite rule with the following specs:

QuoteAction: reject
Quick: true
Interface: vlan_20
Direction: Out
Source: *
Destination: vlan_10 net

To no avail.

Then I found out that if I switch the direction in any rule from Out to In or vice versa, it does exactly what I want it to. Setting a reject rule for "in" traffic also blocks internet access and access to all other subnets through that interface, even though all "out" traffic has been whitelisted in an earlier rule.

What am I missing here? It seems that OPNsense does connection tracking, so stateless rules aren't necessary. Is my background in Linux/iptables playing tricks on me? What I want is the equivalent of:

Code Select
iptables -i vlan10 -A INPUT -s 10.10.20.0/24 -j REJECT

and

Code Select
iptables -o vlan20 -A OUTPUT -d 10.10.10.0/24 -j REJECT

Any help is appreciated!
Title: Re: In/out firewall rules misunderstanding
Post by: Dragonfly on June 25, 2020, 02:12:18 PM
Ok, I found out there was an error in my thinking. I figured I should give people an update.

My "beef" wasn't with the difference between iptables vs pf or something (actually have several FreeBSD boxes with manually managed pf firewalls), but with the fact that I usually only manage servers, not routers. So then it makes sense that in and out would be reversed.

I.e. incoming traffic for my server of my (V)LAN would be considered outgoing traffic for the router. And vice versa.
Title: Re: In/out firewall rules misunderstanding
Post by: gpb on June 25, 2020, 07:43:55 PM
Glad you got it figured out.  I've found this to be a good reference...probably others too.

https://docs.netgate.com/pfsense/en/latest/book/firewall/firewall-fundamentals.html
Text only | Text with Images