I am trying to replace an Ipfire router/firewall with OpnSense and I am having problems with the firewall rules.
At the moment, everything has a static IP and have 4 interfaces: WAN, LAN, DMZ, and WIFI. My WAN configuration is:
opnsense x.x.x.253 ------ x.x.x.254 comcast
The LAN works as expected. I am having problems with the WIFI network. I put 3 rules in the WIFI firewall rules:
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * WIFI net * WAN net * * *
IPv4 * WIFI net * WIFI net * * *
IPv4 * WIFI net * * * * *
With all 3 rules enabled, a host on the WIFI network can access the internet. If I disable the last rule, a host on the WIFI network can no longer get to the internet. But, it can ping the WIFI interface, the x.x.x.253 interface, and the x.x.x.254 interface. It just can't reach anthing beyond the 254 interface.
Any idea what I may have misconfigured?
Because WAN net is literally WAN net (your WAN IP and netmask you got from your ISP). That is not internet.
The second rule is completely useless, that traffic will never hit the firewall.
x.x.x.254 is defined as the default gateway. Shouldn't any traffic that is not on any of my local nets automatically go to x.x.x.254? That is what Ipfire does?
Not sure what the question relates to... LAN <=> LAN, WiFi <=> WiFi is handled by switches / APs. Does not hit the the firewall.
For your first rule, you are allowing traffic with destination <your.wan.ip/subnet>. Once again, that is not internet. That is that one subnet. Which may be as small as /32 in some cases. I.e., identical to WAN IP.
The question relates to WIFI<==> WAN. I want hosts on the WIFI to be able to access the internet without being able to access the LAN. That is what I thought the first rule was supposed to do. So far, I am only able to have the WIFI hosts access the internet if I enable the thrid rule which allows the WIFI hosts to also access the LAN.
The solution is:
Source: Wifi net
Destination: LAN net
Destination invert: check
Action: allow
In plain words: allow Wifi net to access anything but LAN net.
Quote from: thetibetantr on August 27, 2024, 09:52:48 PM
I want hosts on the WIFI to be able to access the internet without being able to access the LAN. That is what I thought the first rule was supposed to do.
Put a rule that blocks access to LAN net on your WiFi interface
above the last rule you have posted there (WiFi net -> any). Delete the rest.
(This could be condensed to a single rule with inverted destination as noted in the above post, but seeing your confusion, perhaps lets just not do that.)
I can see how that would work. However, it doesn't clear up my confusion. The first rule:
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 * WIFI net * WAN net * * *
should send all non-WIFI net traffic to the WAN interface which has x.x.x.254 as the default route.
root@opnsense:~ # netstat -4rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 50.76.207.254 UGS em0
50.76.207.248/29 link#1 U em0
172.16.1.0/24 link#3 U em2
172.16.1.1 link#5 UHS lo0
172.16.3.0/24 link#2 U em1
172.16.3.1 link#5 UHS lo0
What am I missing?
Here is my routing table from ipfire:
[root@ipfire ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 50.76.207.254 0.0.0.0 UG 0 0 0 red0
50.76.207.248 0.0.0.0 255.255.255.248 U 0 0 0 red0
50.76.207.254 0.0.0.0 255.255.255.255 UH 0 0 0 red0
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 blue0
172.16.3.0 0.0.0.0 255.255.255.0 U 0 0 0 green0
The main difference I see is that every interface show the default gateway as the gateway.
Is there a way to do somethin similar in opnsense?
I already explained 3 times that WAN net is your WAN interface subnet. NOT Internet. The routing and GW is absolutely irrelevant. No destination but the WAN Net allowed, the packets will be blocked by firewall. Forget about using WAN net for rules intended to mean Internet.
In the output you posted, 50.76.207.248/29 is the WAN net. And that is all that the rule allows.