I started playing with a shiny new Opnsense box ... and immediately ran into trouble.
(Among other things) I have
- interfaces named ExternalInternetWan and Periphery
- setup DNS forwarding following https://forum.opnsense.org/index.php?topic=9245.0 (https://forum.opnsense.org/index.php?topic=9245.0)
As a result, the
rules table for the
Periphery interface looks like this:
Protocol Source Port Destination Port Gateway Schedule Description
Automatically generated rules
IPv4 UDP * 68 255.255.255.255 67 * * allow access to DHCP server
IPv4+6 UDP * 68 (self) 67 * * allow access to DHCP server
IPv4+6 UDP (self) 67 * 68 * * allow access to DHCP server
IPv4 TCP/UDP * * 127.0.0.1 53 (DNS)* * Reroute all DNS Queries through the Firewall
IPv4+6 * * * This Firewall * * * Allow traffick to the firewall
IPv4+6 * * * ExternalInternetWAN net * * * Allow traffick into the external network
I expect this to provide web access to the devices in the network served by the
Periphery interface.
The logs, however, show such traffic being denied by the
Default deny rule from the
floating set, implying that the last rule above fails.
What am I doing wrong? Thanks for any pointers.
I'm assuming that ExternalInternetWAN is the interface that obtains your public IP from the ISP. If so ExternalInternetWAN net does not represent the entire internet. It only represents the subnet that your public IP is on. Instead, create an alias that consists of all private (RFC1918) addresses. They are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Next, change your last rule to allow traffic the the inverse (Destination/Invert checkbox) of that alias.
Many thanks for your explanation and solution - that makes it work the way I intended it.