Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: kmavrov on November 14, 2024, 09:36:35 AM

Title: Help needed with firewall rules to BLOCK Internet
Post by: kmavrov on November 14, 2024, 09:36:35 AM
So i have a NoT VLAN (for local only IoT devices that i don't want to communicate with anything, except my Home Assistant instance).

So far i have managed to block traffic to other networks and allow access only to Home Assistant.
I have also managed to somewhat block Internet access:
ping google.com does not provide any results which is fine.
But int the same time:
ping 216.58.213.110 does return results - which is not fine because the things i want to block try to communicate with IPs directly, not domains.

Here is a screenshot of my current rules so far:

Title: Re: Help needed with firewall rules to BLOCK Internet
Post by: dseven on November 14, 2024, 09:45:49 AM
The last (bottom) rule allows NoT net to "any", which includes the whole internet. You probably want to delete (or at least disable) that rule.
Title: Re: Help needed with firewall rules to BLOCK Internet
Post by: kmavrov on November 14, 2024, 11:24:17 AM
Oh, that was it. Thank you!
Title: Re: Help needed with firewall rules to BLOCK Internet
Post by: EricPerl on November 15, 2024, 09:55:12 PM
And then, if you don't have other rules below the RFC1918 rule, that rule is effectively useless.
Its only value would be to generate a log entry if you disabled logging of the default block rule.

You could tighten the timeserver rule (protocol-UDP and port-NTP). That's standard.
Ditto for HA. They likely document that...
Text only | Text with Images