Dear all,
Please notice I am a newbie on opnSense.
Until now I was using a competitor no longer free since a few months ;-)
I exported my ruleset from this competitor to import it in opnSense, did a few manual changes so import behaves the same. Apparently all is fine.
HOWEVER:
- My design is a FW serving 2 different netblocks, each with its gateway.
- In my design, I want to open SSH from WAN (opensense naming). So I disabled the lock out rules.
- But in real, despite the 2 WAN has exactly the same ruleset but the target IP (different subnets), opensense behaves differently:
- On the WAN1 (WAN for opnsense), ssh keeps being blocked
- On the WAN2 (OPT1 for opnsense), ssh is managed by my ruleset (normal).
I sense 2 possible issues:
- antilockout cant be disabled or edited. Painful when for example you dont have IPv6 and want a clean ruleset without any IPv6 pass anywhere.
- antilockout applies only on WAN (opnsense naming), making admin believe all its "WAN" are protected. There should be a way to ensure 2 WAN interfaces with the same ruleset will behave *exactly* the same.
Feel free to ask for any detail, my english might not be great :-)
Thanks
Brgrds
Please notice I found a link to this issue. Each incoming flow rules was having a defined gateway (side effect of the import).
When this gateway is removed, opnSense behaves much better...