Hi
I am a newbie in Opnsense.
I made an alias with the ip addresses of my ipcams.
They are al connected to a switch being lan2.
I like to prevent that they can connect to the internet.
What am i doing wrong? Had destination wlan but later any.
Best regards
(https://uploads.tapatalk-cdn.com/20230225/dc7b5c6835a263c2121f48a3e8b1bbb6.jpg)(https://uploads.tapatalk-cdn.com/20230225/7f5e3daaa708383c0bff5bfe9f9259e0.jpg)
Verstuurd vanaf mijn SM-G998B met Tapatalk
Direction should be IN (from the LAN interface perspective, the packets come in) and destination should probably be ANY, as WAN net is only one of the ISPs networks.
Unfortunately that didn't help.
I made an alias to a laptop to test it easier than with the cams.
But still no internet block
(https://uploads.tapatalk-cdn.com/20230226/393affe5b8004e1c03a6b47c9af16a4a.jpg)(https://uploads.tapatalk-cdn.com/20230226/ba7e2094f961a497d2547bd4d3b01f10.jpg)
Verstuurd vanaf mijn SM-G998B met Tapatalk
Forget these screenshots(https://uploads.tapatalk-cdn.com/20230226/56b3d510fc96e2acbce6457f54cb76bb.jpg)(https://uploads.tapatalk-cdn.com/20230226/4a95b687e8bb0c62a392a5a20195f142.jpg)
Verstuurd vanaf mijn SM-G998B met Tapatalk
Current situation
Still not working
(https://uploads.tapatalk-cdn.com/20230226/c3f48c06240cee4e364130587554e666.jpg)(https://uploads.tapatalk-cdn.com/20230226/8df1feab68973d5314fcb1d217d3e181.jpg)
Verstuurd vanaf mijn SM-G998B met Tapatalk
In case your rules do not fire, you obviously have some rule(s) that are applied before those interface rules. You showed neither any of the automatic rules nor NAT rules.
Also, there are sections that are applied before the "interface" rules:
Please look at https://docs.opnsense.org/manual/firewall.html first and take a look at the "processing order" section. The "system" and "floating" rules are applied before the interface rules, even groups are higher in priority than interfaces. If there is any "quick" rule that allows LAN traffic, it will fire first.
From scratch, there is a special "Allow All" rule ONLY for the LAN interface that has to be disabled (but then, you have to define something equivalent yourself). It is mentioned in here: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules
Also, heed this warning:
Quote
NAT rules are always processed before filter rules! So for example, if you define a NAT : port forwarding rules without a associated rule, i.e. Filter rule association set to Pass, this has the consequence, that no other rules will apply!
Creating firewall rules on OpnSense can be tricky for beginners, there are some guides out that systematically show use cases like these:
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/
Hi,
I received the device second hand but as freshly installed he said.
But there is a floating rule that I cannot explain for myself.
Quote from: gert23 on February 26, 2023, 12:34:10 PM
Hi,
I received the device second hand but as freshly installed he said.
But there is a floating rule that I cannot explain for myself.
That rule lets anything through from the LAN to (and also from) anywhere and as such, is very unsafe.
I think, this did the trick.
Even connection to 192.168.0.1 didnt work anymore with the 4 rules
Quote from: meyergru on February 26, 2023, 12:40:07 PM
Quote from: gert23 on February 26, 2023, 12:34:10 PM
Hi,
I received the device second hand but as freshly installed he said.
But there is a floating rule that I cannot explain for myself.
That rule lets anything through from the LAN to (and also from) anywhere and as such, is very unsafe.
I don't know where this came from :-)
Verstuurd vanaf mijn SM-G998B met Tapatalk
Disabling that floating rule did the trick. Finally I reacts to my rules. And see the traffic in Live View.
Thanks.