Hey,
So i am not a networking expert but I am hoping to get some assistance with an issue i am dealing with. Currently I have a mini pc with multiple ports and one port I labelled as a LAN port with subnet 10.0.0.0/24, main LAN is 192.168.1.1
I can't seem to get internet going on this LAN and I think my rules are wrong, even a simple ping would work for a bit then fail entirely.
I currently have the LAB network, any port going to the WAN address as destination with any port for port and gateway.
Is that the wrong rule?
For Internet access, destination must be 'any', not 'WAN address'.
Cheers
Maurice
As Maurice said, destination field in the rule cant be WAN for this, the WAN specifies the FW WAN interface IP.
So by your rule traffic only to the WAN IP is permitted and not to the Internet. You need to put ANY or if you want only Internet access while blocking LAN communication between host you can do it via Alias using inverse match in the rule.
Regards,
S.
I just made the change and I still can't seem to load any webpage, do i need to have any other rules for internet access?
Is this a physical or VM installation?
Opnsense is on a physical machine - tiny mini pc with 6 ports. I plugged a laptop directly into it and it's getting a dhcp lease but no access to the internet.
I asked because I had a similar problem on a VM.
I solved the problem by restoring the hard disk from a backup of 4 days ago.
Quote from: bloodyskullz on October 11, 2023, 04:09:40 AM
[...] and gateway.
Did you specify a gateway in the firewall rule? Don't do that unless you know what you're doing (policy-based routing).
Quote from: Maurice on October 11, 2023, 06:01:29 PM
Quote from: bloodyskullz on October 11, 2023, 04:09:40 AM
[...] and gateway.
Did you specify a gateway in the firewall rule? Don't do that unless you know what you're doing (policy-based routing).
Currently set to default at the moment.
please show your interface definition and its rules.
Also your DNS settings for system and your resolver i.e. Unbound or what you setup.
Any diagnostic done so far would be helpful like a dig or nslookup from a client on the new network.
Sorry but are you looking for screenshots or a CLI output?
Only DNS settings I have made were for the DHCP scope which is the same that I did for the main LAN (multiple ports are setup via lan bridge mode).
I don't know what Unbound is and I never messed with any of those settings.
Tracert results from a windows system
QuoteC:\Windows\System32>tracert 1.1.1.1
Tracing route to 1.1.1.1 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
May we see your specific rules for this LAN?
Screenshot of the rules section for the Lab portion is attached
The direction of the first rule is wrong. This must be an 'in' rule (from the LAB net into OPNsense).
This also makes the second rule redundant.
Im confused as to how this actually worked (ignorance kicking in at the moment) as it isn't making sense to me.
For "Alternate hostnames" I specified both my LAN and LAB gateways which allows me to ping both subnets but the traffic to each should still be segregated right?
Try this instead of your current rules:
Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.
Create a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.
I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.
Edited to mention Pass and Block
Segregation is achieved via splitting up the networks, either L2 via VLANs or L3 via Networks, both of them are usually used in together.
If you have split networks for LAB and LAN, assuming you have 2 L3 Interfaces for each specific Network. Firewalls essentially filter traffic in two directions INbound and OUTbound. By default INbound has implicit DENY on the interface/zone, you need to create a INbound RULE on the specific Interface to ALLOW traffic you want (OUTbound is by default ALLOWed).
Currently those RULES you have in place only ALLOW traffic for ICMP towards this Firewall.
Regards,
S.
Quote from: passeri on October 12, 2023, 03:39:40 AM
Try this instead of your current rules:
Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.
This confused me, I know what an ACL is but the RFC stuff made me go blank.
Quote from: passeri on October 12, 2023, 03:39:40 AMCreate a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.
I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.
Edited to mention Pass and Block
Currently I only have LAB and LAN so ultimate go is LAB = internet access and nothing else in LAN
LAN = Access everything else.
By your suggestion of the rules, i could substitute no_go for LAN net (hoping I understood all that correctly).
Sorry :)
RFC1918 is short for these addresses to enter in your no_go ACL: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
It is discussed under "Private network" on Wikipedia.
Remember to invert that ACL destination. Source is any, IN to the Lab address.