Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: OPNsense4ever on October 04, 2023, 08:10:41 PM

Title: Multi WAN and local services
Post by: OPNsense4ever on October 04, 2023, 08:10:41 PM
Hello,

I've been using BIND and unbound as well as running SNMP, NTP and a few other services on my install. Recently I added a backup Internet connection and followed the "Multi WAN" instructions in the OPNsense documentation. Step 5 explains that i need to add a rule for DNS to work. After this I noticed several other services weren't working and ended up creating a bunch of new rules in order to get them working again. This seems somehow wrong to me even though it works. What I ended up with looks like the attached.

Is there something else I should have done instead?
Title: Re: Multi WAN and local services
Post by: Monviech (Cedrik) on October 04, 2023, 09:12:09 PM
The firewall rules are first match if "quick" is enabled. So the first rule that matches the specified traffic will stop evaluation of any further rules. Only use "direction in" rules.

The LAN allow any rule with the Gateway set matches all traffic and sends it to that gateway. This rule should definitely be last, otherwise no rule after it will match.

Also, for the internet IPv4 rule it should be best practice to create an alias with the RFC1918 nets and use it as inverted destination so the internet allow rule that sends traffic to the explicit gateway only matches on public IP addresses.

You can do the same with your internet ipv6 rule, inverting an alias of the ipv6 prefix you have.

I would generally avoid any rule that has "any" destination. And if not then always have it match last.

Edit: Heres additional hints:

Aliases:

Name:   InternetIPv4
Type:   Network(s)
Content:   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8
Description:   Internet IPv4 - use inverted
Note

The InternetIPv6 alias needs to be your own IPv6 network.

Name:   InternetIPv6
Type:   Network(s)
Content:   2001:db8:1234::/48
Description:   Internet IPv6 - use inverted

The last matching rules can allow Internet. But dont use any other any any rules before them.

Action   Pass
Interface   LAN
Direction   In
TCP/IP Version   IPv4
Protocol   Any
Source   LAN net
Source port   Any
Destination / Invert   X
Destination   InternetIPv4
Destination port   Any
Gateway: Your Gateway
Description   Allow Internet Access IPv4

Action   Pass
Interface   LAN
Direction   In
TCP/IP Version   IPv6
Protocol   Any
Source   LAN net
Source port   Any
Destination / Invert   X
Destination   InternetIPv6
Destination port   Any
Description   Allow Internet Access IPv6

By setting Destination / Invert you invert the match of the alias. Don't use "Any" as Destination to the Internet, since it also includes all networks that are locally attached to your firewall.
Title: Re: Multi WAN and local services
Post by: OPNsense4ever on October 06, 2023, 09:32:14 PM
Thanks for the feedback Monviech! I appreciate your insight.
Text only | Text with Images