Hi everyone. I'm new to OPNSense so please be gentle. :'(
Have setup OPNSense on a Protectli Vault mini PC. On the first LAN interface, there was already a rule created automatically for me by OPNSense setup to allow the subnet to any.
On the second interface, I had to manually add it myself and found I had to clone the rule from the first and configure it for this second interface.
Question #1 - Should I change the destination "any" to WAN address or WAN net?
I really want all interfaces to allow originating traffic to the internet but not to each other.
Question #2 - Should I add a firewall rule to allow one fixed internal IP on the first LAN interface to the .1 address of the same subnet for management purposes? Is this what is considered best practice?
I would like only one PC with a static (or DHCP reserved IP) to connect to OPNSense for management purposes (web GUI, SSH to OPNSense) in order to limit management access to the appliance.
Any thoughts and how you have achieved similar setup would be very much appreciated.
1. Don't allow to WAN/WANnet. Will break connectivity to web.
2. The default "allow any any" rule is only meant as a starter, even on LAN. Refine it to your taste with specific block/allow rules.
3. To avoid traffic from LAN to OPT1 (and vice versa) place a rule on top of the LAN rules list with "block source: LANnet target: OPT1net" (and vice versa). Rules are evaluated from top to bottom, first match will bite (if standard "quick" is set, otherwise the rule will be evaluated last, but that should be kept for special/advanced configurations).
1. That makes a lot of sense. It does break when I use WAN interface as destination. But when I use WAN net, it seems to work. Still trying to understand why. I'll switch it over to any once I am done learning.
2. Got it. I will try to get a grip on what traffic is flowing between all my devices to the WAN interface over the next week or two to tighten it up. At this stage, all I can think of is http, https, dns, imap and ftp to start off with and am hoping social media mobile apps all use standard http/s ports!
3. That's great. Thank you!
1. Not fully understood here, but maybe CGNAT on WAN?
With my limited understanding, I don't really follow how ISP CGNAT would affect why opnsense would accept connections to WAN net. My only guess at this stage is that all traffic is routed to the default gateway in order to reach an address to the internet.
For example;
- Vault LAN device has IP 10.10.10.10, receives packet for internet bound, routes to its default gateway 10.10.10.1.
- LAN interface 10.10.10.1 (FW). FW rules says auto NAT then route to WAN interface (internet bound traffic).
- WAN interface (ISP DHCP assigned) 123.123.123.123 receives packet and says send it to my default gateway which is 123.123.123.1.
- From there, its out of the vault doors to its destination.
Unless I put a packet sniffer on the interface or I wade through the logs, I guess I am just guessing! :D
But while I am interested, I am not all that interested to find out just yet. Still got lots of other interesting bits to learn here. Going to go with your experience and change it to "any" later.
routing is "next hop" (... -> WAN IP -> ISP Gateway ->... ), but FW rules should be "target IP"-based.