Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: seki on October 17, 2021, 02:09:56 AM

Title: These default floating rules...
Post by: seki on October 17, 2021, 02:09:56 AM
Hi Everyone!

So I've followed this guide (https://www.youtube.com/watch?v=kYFNa_zpeII) to set up two LAN networks on separate physical ports.

Everything went smooth for LAN1 but when I started to copy the rules (16:35 (https://youtu.be/kYFNa_zpeII?t=995)) and I specifically skipped the rule that allows LAN2 to query DNS:


(https://i.imgur.com/YYAjVRB.png)


It should deny and reject the access to DNS for LAN2 devices, is it not?


(https://i.imgur.com/m8OAhgz.png)
192.168.5.200 is the WAN IP

Well, not really... This floating rule gets in the way I have no idea how to make it work so only LAN1 devices can access DNS. Can someone explain the kid that is trying to understand what's going on?

full IMGUR collection (https://imgur.com/a/rvk6urI)


I would love to understand why these floating rules cannot be edited. Even when I change the LAN2 DNS rule from Pass to Reject it is still being let through the "let out anything from firewall host itself"
Title: Re: These default floating rules...
Post by: Greelan on October 17, 2021, 02:47:14 AM
?? You do have an allow DNS rule on LAN2?
Title: Re: These default floating rules...
Post by: seki on October 17, 2021, 02:54:10 AM
Right, I apologize for confusion. Wrong screen.

The rule is removed from LAN2 (see attachment 1.png)
Title: Re: These default floating rules...
Post by: Greelan on October 17, 2021, 03:03:45 AM
What's the configured DNS server(s) on the Pi? If they are public servers or even a server in LAN1 net then of course your rules won't block them

If you want to block DNS queries to anywhere, then put a specific block rule first. But why would you want to do that? All manner of stuff will break
Title: Re: These default floating rules...
Post by: seki on October 17, 2021, 03:11:28 AM
Code Select
pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
domain localdomain
search localdomain home
nameserver 10.0.1.1
nameserver 192.168.5.1

Well... To me it is strange that when I followed the YouTube guide I had to add the rule for LAN1 so I could do "ping google.com" but when I literally copied over the rules to LAN2 (except the DNS one so I could learn and get the feeling) I was surprised that LAN2 completely ignores the missing DNS rule whilst LAN1 has to have it or else ping by DNS name won't work.

This is what I am curious about.
Title: Re: These default floating rules...
Post by: seki on October 17, 2021, 03:19:53 AM
Oh my God!!!

I deeply apologize! I am so eFing stupid that I did not notice that the damn RPi has WiFi turned on which has own nameserver pointing to ISP router.

I'll go run against the wall with my head in front a couple of times...
Title: Re: These default floating rules...
Post by: Greelan on October 17, 2021, 03:21:57 AM
Well it would all depend on what DNS servers are being handed out on LAN1 net or otherwise used by hosts in LAN1 net and therefore whether that traffic would otherwise be blocked on LAN1 by your rules
Text only | Text with Images