I am having difficulty understanding the logic of OPNSense firewall rules. Based on my experience with FortiGate, I configured the following rules in OPNSense, but they are not working as expected in OPNSense. I need help from an expert to troubleshoot the issue.
My requirements are:
1.Allow a specific IP address range to access the internet
2.Block a specific IP address from accessing the specific network devices
My OPNSense firewall rule configuration:
**Rule 1**
Interface: LAN
Direction: In
Source: Private IP scope alias
Destination: WAN
Source to destination port: Any
Action: Allow
**Rule 2**
Interface: LAN
Direction: In
Source: Host IP address
Destination: Network Devices IP address Alias
Source to destination port: Any
Action: Block
Firewall rules are first match wins. If you create an allow rule and it matched before a block rule, then the allow rule wins.
Your basic structure could be:
- The most specific rules should come first (e.g. one source host to one destination host)
- The most permissive rules should be last (e.g. any source to any destination)
-Block rules should be at the right spot, most of the time between the most specific and the most permissive rules, so that they can match and block before its allowed by the most permissive allow rules.
- Creating an Alias with the RFC1918 networks and using that alias as inverted destination in the internet allow rule (opposed to "wan" or "any" as destination) makes many block rules obsolete.
There is no destination "WAN". And everything with WAN only means the WAN-address and that network, which is never the whole internet. Internet is always "any".
Quote from: Monviech on September 24, 2023, 10:05:47 AM
Firewall rules are first match wins. If you create an allow rule and it matched before a block rule, then the allow rule wins.
That's usually the case unless you've unchecked Quick when creating a rule.