What is the best way to block all hosts in a continuous block of LAN IPv4 addresses from any internet access?
I'm new to OPNsense so am probably missing something basic but have been struggling with this and appear to be going around in circles without success!
My network is simple - 1 LAN, 2 WAN configured on a gateway as a failover group. I have a set of IP cameras that I want to ensure have NO internet access. They are in a continuous address range. IPv4 only, no IPv6
My attempts have involved:
- setting an alias for the cameras. I've used URL table and a list of hosts.
- I've set up block rules on the two WAN interfaces in various combinations (in, out and any) and placed these rules at the top of the stack
And the devices in the block of addresses simply continue to ping internet addresses.
I'm clearly missing something basic and fundamental but am stumped so any guidance or help appreciated.
Thanks in advance.
Block them on the LAN interface
Thanks for your response, Greelan
I've tried that and a device in range keeps on pinging Amazon.
See screenshot attached - this is the top rule and I have enabled it and applied it.
what are the 6 rules you havent expanded?
Auto-created rules - see attachment (can't figure out how to post inline)
The device might still be pinging, but are the pings getting through?
You don't have any relevant floating or group rules that are applying in priority?
Also check there are no NAT rules for ICMP.
Yes, pings are succeeding, as are http and https sessions.
Please see the expanded Floating Rules tab - all auto-generated (although I'm unclear what that means in context of the header message)
I'm not familiar with Group Rules - where are these shown please?
I've checked, no NAT rules.
Thanks for all your help, folks! Much appreciated!
If you haven't created any firewall groups, then you won't see any rules
Are you sure your Alias is right? Maybe test with a separate rule that just uses the device's IP directly?
I've not created Groups.
I have tested with specific IP addresses, too. Both by cloning the rule and changing the address and by starting afresh. I am careful to always make the new rule the top one, too.
And applied the changes after moving them, right?
Yes, I should have said that, sorry.
I'm stumped - again, thanks for your help and ideas.
You mentioned you have a multi WAN gateway group. I wonder if there is some routing issue relating to that, eg the camera traffic is only being blocked out of one WAN interface but not the other? I don't have experience with a mutli WAN setup but presumably you want the block to apply to the gateway group? Do you need to select that as the Gateway in the rule?
I have tried adding 4 separate rules to the WAN circuits, too - each an In/Out pair blocking this range and that also didn't help.
I'm starting to wonder if there is some kind of corruption to the config and whether it may be better to simply start afresh and rebuild from a new installation.
No I am talking about in the LAN rule - Gateway under advanced features
Ah, sorry, I misunderstood.
That is only possible on 'in' direction - trying to configure for 'out' gives the attached error message.
Having said that, setting it on 'in' does seem to be working so thank you for your suggestion! I'm out of time now but will continue testing this evening and report back.
You want the rule to apply "in" - it is traffic coming from a device on the LAN into the LAN interface on OPNsense
Thank you, Greelan. I now realise that I had got myself completely confused about what was 'in' and 'out'. It is working now.
I must thank you and this forum for your assistance - much appreciated!
No problem
The other thing to understand is that, because of outbound NAT on IPv4, traffic going out the WAN interface to the internet won't have as its source IP the internal IP of your cameras, but instead your public IP (otherwise return traffic from the internet could not find its way back). You can see this if you watch the WAN interface in the live firewall logs. That's why your WAN rules didn't work
In any event, usually the best approach to firewall rules is to apply them on the interface where the traffic is first handled by OPNsense (in your cameras' case, the LAN interface). Saves unnecessary processing of traffic that is going to dropped anyway later
Thanks again - all useful comments and thoughts, too.