OPNsense Forum

English Forums => General Discussion => Topic started by: coalbl4ck on April 06, 2022, 11:33:03 pm

Title: Firewall Rules - WAN address/ net
Post by: coalbl4ck on April 06, 2022, 11:33:03 pm

Hi,

so basically by accident i stumbled upon this.
In my setup i have a router from the ISP and behind that is my OPNsense.

So, i was playing around with ICMP on my firewall (DNS resolution works) and i have two scenarios.

1. Destination = *
2. Destination = WAN net/ address

Now the second doesn't work (Blocked by default deny), so i was wondering if maybe my understanding of WAN net is wrong.
I thought of it as all IP addresses "behind" the WAN IP-Address (basically the Internet).

However, that doesn't seem the case?
I am completely lost and i think i just completely misunderstood something and really appreciate any help!

Title: Re: Firewall Rules - WAN address/ net
Post by: Patrick M. Hausen on April 07, 2022, 12:07:28 am

WAN net is the adresses local to the WAN interface and not "the Internet". So if you get a single IP address via PPPoE then WAN net is that address. If you get a statically routed /29 for a business connection, then WAN net is that /29.

True for all interfaces. XY net = the directly connected network on interface XY.

Title: Re: Firewall Rules - WAN address/ net
Post by: coalbl4ck on April 07, 2022, 12:41:41 am

Yeah, that's kind of what i thought also and clears things up. Thank you!

Also it leaves me with another question.
If i have multiple interfaces (e.g. WAN, LAN, DMZ) is it possible to restrict the DMZ so that it can only ping/ request data from WAN?

Title: Re: Firewall Rules - WAN address/ net
Post by: bimbar on April 07, 2022, 10:32:51 am

The accepted solution seems to be that WAN is everything that is not yours. Or possibly not RFC1918 addresses.
In IPv6 this gets more difficult.

Title: Re: Firewall Rules - WAN address/ net
Post by: Patrick M. Hausen on April 07, 2022, 10:41:58 am

Unfortunately pf does not have an idea about source or destination interfaces. The rules work on an interface, either in or out, but "destined for the Internet interface" is simply not possible.

I have a similar situation with my multi-tenant hosting environment. While each customer should be able to reach the Internet outbound without restrictions, the servers should not be able to reach into other customers' networks. Except of course the services these other customers expose publicly, because public means public. That complicates matters a bit.

I think I'll investigate labelling packets leaving a customer's network and then checking those labels in outbound rules for all the customer interfaces.

Title: Re: Firewall Rules - WAN address/ net
Post by: coalbl4ck on April 07, 2022, 12:28:41 pm

Okay i see.
I thought it would be a bigger deal, but having an "out" rule, works just as well.

Your problem sounds interesting.
The labeling can be done via tags in the firewall rules, right?
Haven't found a use-case yet, where i could make use of them unfortunately.

Title: Re: Firewall Rules - WAN address/ net
Post by: bimbar on April 08, 2022, 09:25:21 am

Out rules are a problem, since they have to match in addition to the in rules, and it makes the whole thing very complicated and hard to understand.