I need help figuring this out. On my OPNSense firewall I have several cards with each supplying a different subnet to the machines on each card. OPNSense supplies DHCP to those cards.
I created (tried) to create a rule on the the OPNSense WAN to let any and everything on a particular card (LAN 4 subnet) go unfiltered out of the WAN. This rule is the first rule on the WAN. But, this rule has no effect. With the rule in place as the the first rule, the next rule/s are still hit.
Here is what I tried,
1. Everything in the rule set to any, except for source which is set to that Lan card. Didn't work.
2. Everything in the rule set to any, except for source which is set an alias, set to that subnet. Didn't work.
The clue to the problem became apparent when I looked a the Live Log Viewer in OPNSense for the WAN. Everything coming out of the WAN from the installed LAN cards (their associated subnets) has a source IP as the WAN itself !!!
How can I tell the WAN to act on a rule when it's for a particular subnet when the WAN filter is not showing the source address as that subnet?
Thanks
K. Carter Sr.
"How can I tell the WAN to act on a rule when it's for a particular subnet when the WAN filter is not showing the source address as that subnet?"
You can put the rule on the correct interface.
Putting a rule on the WAN lets traffic into the WAN from the internet. You don't want that.
Rules are evaluated on the traffic entering that interface from the directly connected network on that interface.
So if you want to allow LAN4 traffic to go anywhere, you put a rule on the LAN4 interface allowing traffic to go anywhere.
So WAN IN is traffic from the network(s) connected to the WAN (ie internet)
LAN IN is traffic from the devices on the LAN.
You would never use a direction of OUT on an interface.
So you would want a pass rule on interface LAN4. An ANY rule would allow traffic from LAN4 to the internet and any other interfaces on the router. So if you don't want LAN4 to access LAN1, put a block rule above any pass rules.
Get it?
You would never use a direction of OUT on an interface.
I get it now. I'll have to redo my whole rules setup, no problem. I have no reason to doubt it. However, if this is true then I why do I see this being done everywhere in forums, chats, and information I've seen online?
Can you give a source for this modus operandi?
Thanks
K. Carter Sr.
Just search for how pf works.
As far as "this being done every where", are you talking about pf or other firewalls?
Most other firewalls do the opposite of pf so that's why there's always posts like yours saying "this worked on my last firewall, how come it doesn't here?" etc.
It's a different way of doing it but it's the way pf does it.
Actually, you can just search this forum.
I just posted in another thread today about the same thing.
The OP thought that LAN OUT traffic then becomes WAN IN traffic. It doesn't.
Traffic IN will always be from the network directly connected to that interface.
It's the default configuration your OPNsense installation came with. It's described in the official documentation. It's what every regular on this forum will tell you and others again and again and again.
I don't know what other forums, chats and online information you are referring to, but I dare conclude that these obviously are bull*
Why people go to Youtube videos on any software product instead of the official docs always fails me.
Here's the source for this product: https://docs.opnsense.org
Kind regards,
Patrick
Quote from: Demusman on March 08, 2023, 09:36:21 PM
As far as "this being done every where", are you talking about pf or other firewalls?
Most other firewalls do the opposite of pf so that's why there's always posts like yours saying "this worked on my last firewall, how come it doesn't here?" etc.
It's a different way of doing it but it's the way pf does it.
Sorry, but ALL packet filtering firewalls I worked with in the last 35 years (yes!) work exactly that way. Rules match as they see packets per interface.
Predominantly commercial products put another layer of abstraction on top of that so you can create rules like "from internal zone to Internet zone" (that would be Sidewinder for example) but if you explicitly use packet filters it's IN - as seen on that particular interface, OUT - as seen on that particular interface.
pf, ipfw, iptables, ipchains, Livingston Portmaster, Cisco IOS, Juniper JunOS, ...
Nothing special about pf here. Take Cisco IOS ACLs. Exactly the same. There was a time when only IN rules went through CEF while all OUT rules were punted to the control plane CPU. So OUT rules were always discouraged.
Kind regards,
Patrick
Yes, I just found your other posts even before you replied.
I just called and asked a guy who is the head of networking and infrastructure for a large corp. (really didn't want to bother him, but...), and he disagreed with what you said. They use all Cisco equipment. However, I'm just a tiny OPNSense/PF home user and I'm just going to do what you said because it makes sense to me. I'm redoing all of my firewall rules now.
Thanks
K. Carter Sr.
Cisco IOS or Cisco firewalls? As I said commercial products regularly put another abstraction layer on top of the packet filter.