Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: nikkon on March 07, 2023, 10:38:36 PM

Title: out rule question
Post by: nikkon on March 07, 2023, 10:38:36 PM
Hi all,
I have a few floating rules on both WAN (direction IN)  and LAN (direction OUT) which are blocking one specific host from lan to reach outside connections.
I don't want to disable the rules on LAN (this is where it happens), instead, I tried excluding that particular host from the match by using invert. something doesn't work and I have no clue what

The blocking rule is Block DROP out 1 - LAN.
how can I exclude only 1 ip from matching this rule?

Title: Re: out rule question
Post by: Demusman on March 08, 2023, 12:40:32 AM
I would suggest learning how rules are applied.

If you want to block something on your LAN from going anywhere, you put the rule on the LAN interface.
Never use floating rules unless absolutely necessary.

Rules are evaluated on an interface from the network directly connected to that interface.
A block rule blocks traffic from entering that interface, and therefore stops it from going anywhere else.

Putting an "IN" rule on the WAN blocks traffic generated from outside the WAN (ie internet) from entering the WAN, not from the LAN exiting the WAN. Any traffic that hits the WAN from the LAN has already been allowed to exit the WAN.

So just put a block (or better yet a reject) rule on the LAN interface for the IP you want to deny outbound access to and you're done.
Title: Re: out rule question
Post by: nikkon on March 08, 2023, 11:29:32 AM
Thanks for your reply.

As you said, IN rules apply to WAN and OUT rules are applied to LAN.
Now my question is :
How can I exclude 1 single IP from LAN (direction out) from matching the block rule that has as destination the FireHOL1 list.
Title: Re: out rule question
Post by: Patrick M. Hausen on March 08, 2023, 11:42:02 AM
Quote from: nikkon on March 08, 2023, 11:29:32 AM
As you said, IN rules apply to WAN and OUT rules are applied to LAN.

No. IN and OUT rules are applied to packets coming IN a particular interface or going OUT that interface.

So packets from your LAN clients to the Internet come IN to the LAN interface. So an IN rule on LAN must be created.
Title: Re: out rule question
Post by: Demusman on March 08, 2023, 12:19:13 PM
Quote from: nikkon on March 08, 2023, 11:29:32 AM
Thanks for your reply.

As you said, IN rules apply to WAN and OUT rules are applied to LAN.
Now my question is :
How can I exclude 1 single IP from LAN (direction out) from matching the block rule that has as destination the FireHOL1 list.

I never said that, it's how you're thinking it works and it isn't.
As said by pmhausen, they both apply to the same interface.
You would never use the "OUT" direction in any rule other than floating, and to be honest shouldn't even be an option anywhere else.

So thinking that an OUT of LAN then goes to an IN of Wan is not correct.
IN will always be into the interface from the directly connected network of that interface.
LAN IN = from devices on the LAN.
WAN IN = from devices on the internet ( and the WAN Net which is only the subnet connected to the WAN interface ).
Title: Re: out rule question
Post by: nikkon on March 08, 2023, 03:05:24 PM
I understood it wrong.
now it's clear. in this case this exception is not even needed.
thank you
Text only | Text with Images