Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Onkel-tobi on June 14, 2023, 06:14:15 AM

Title: configuration for stateful FW rules
Post by: Onkel-tobi on June 14, 2023, 06:14:15 AM
Hi all,

i am just wondering why i have to create rules for the way back.
I have 6 ports (1 wan, 5 different ports with 8 vlans in all) configured.
For each vlan a single gateway is configured (is that really neede, as it seems to make no difference?).

Then i have created default block rules for incoming traffic.
Now i want access an http site from vlan a to b and created a rule for that.
But in the log i can now see that in this example traffic is going to vlan b but then the it is blocked on the interface b on going out.

I thought by default the way opnsense is doing it would be stateful, so if client from vlan a is initiating the traffic i don't need to create rules for the way back?

Does anyone have a hint on that?

Thanks,
Tobi
Title: Re: configuration for stateful FW rules
Post by: chemlud on June 14, 2023, 10:45:54 AM
stateful means: reply is allowed ootb. best guess without screenshots: rules on wrong interface and/or wrong direction (in/out)...
Title: Re: configuration for stateful FW rules
Post by: Onkel-tobi on June 16, 2023, 08:58:31 AM
Sorry i was only on mobile and away.
After further investiagation i found out the following:
If you see the attachment block you can see that the request is not coming from the client net as source but from the GW address of the "dreck" network.
I also added the rules for the clientVLAN which is the network of my client PC and trying to access an address (192.168.177.60) at the dreck VLAN.

regards,
Tobi
Title: Re: configuration for stateful FW rules
Post by: chemlud on June 16, 2023, 09:06:47 AM
Last FW amd "HAnet" rule on Dreck are wrong, direction has to be "in", not "out"... Don't use "out" rules (unless you 100% know what you are doing...), in 99.99% of the use cases the wrong choice...
Title: Re: configuration for stateful FW rules
Post by: Onkel-tobi on June 16, 2023, 09:09:20 AM
THanks for your answer.
I wanted to deny all trafic by default out of the dreck network.
So how should i do that best?
Or is it that this will be done by default deny?
Title: Re: configuration for stateful FW rules
Post by: Patrick M. Hausen on June 16, 2023, 09:14:27 AM
Interface: dreck
Source: any
Destination: any
Direction: in
Action: deny

Or simply no rule on that interface at all because deny is the default.

In/out is to be read as seen by the firewall. A packet originating in the "dreck" network is coming in the "dreck" interface.

Title: Re: configuration for stateful FW rules
Post by: Onkel-tobi on June 16, 2023, 09:18:24 AM
ah ok, that was overlapping. Yes great.
After i disabled that rule and checked the logs, i can confirm that this traffic from client to dreck device is working and default deny also works for everything else.
THanks for your support!
Text only | Text with Images