Hey together,
I configured a DMZ in my vlan.
everything works except the firewall rule for DNS which should be the Interface Address.
I Use Unbound for everything.
I set an ACL in Outbound for it.
My Firewall Rules are:
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 TCP/UDP LANDMZ net 53 (DNS) dmz_ns 53 (DNS) * * Forward DNS
IPv4 ICMP LANDMZ net * * * * * Allow ICMP to OPNsense
IPv4+6 * LANDMZ net * RFC1918 * * * Block LANDMZ to internal
IPv4+6 * LANDMZ net * ! RFC1918 * * * Allow access to Internet and block access to all local networks
IPv4 * LANDMZ net * FLUX_IPs * * * Allow to admin PC only
IPv4 * LANDMZ net * * * * * Block all other
Why can't the dmz reach the DNS?
I'm confused about that.
The source port is not 53 but any.
@Patrick M. Hausen,
oh my god.... it works...
you are my hero of the day ;)
Thank you!
A few comments on the rules (reformatted), inline
Quote from: 0zzy on May 29, 2025, 03:54:52 PMMy Firewall Rules are:
AB Protocol Source Port Destination Port Description
A IPv4 TCP/UDP LANDMZ net * dmz_ns 53 Forward DNS # Corrected by Patrick. Based on preamble, LANDMZ address could have been used for dest
A IPv4 ICMP LANDMZ net * * * Allow ICMP to OPNsense
B IPv4+6 * LANDMZ net * RFC1918 * Block LANDMZ to internal # Typically not useful unless there's a more general allow later,
# like the following rule if the destination was any.
A IPv4+6 * LANDMZ net * !RFC1918 * Allow access to Internet and block access to all local networks
# The above rule doesn't block anything...
A IPv4 * LANDMZ net * FLUX_IPs * Allow to admin PC only # Isn't the Block RFC1918 rule getting in the way?
B IPv4 * LANDMZ net * * * Block all other # Without this, the 'default deny / state violation' would be used...
AB is Allow or Block.
Wrt the !RFC1918 rule, the meaning is Allow all traffic to 'any destination except private networks' (iow, only the Internet).
It's an allow rule. It can't block anything.
Importantly, because it does not apply to local/private traffic, such traffic can be allowed by other rules below.
@EricPerl
curios, in my configuration it works as described.
The Block Rule RFC1918 * Block LANDMZ to internal without anything else block all traffic in my entire lan, how I test it?
ping 192.168.11.1 --> no ping allowed
traceroute 192.168.11.1 --> no tracerout possible
also:
nmap -p 22,80,443 192.168.11.1 --> says everything is filtered
nc -zv 192.168.11.1 22 --> says for all the ports its unreachable
no web interface is useable from one of the dmz hosts.
On OpNSense:
Firewall > Log Files > Live View
Filter:
Interface: LANDMZ
Action: Block
Destination: RFC1918 IPs
so why should it not working?
Ping and tracert should work FROM a IPv4 host in LANDMZ because of this:
AB Protocol Source Port Destination Port Description
A IPv4 ICMP LANDMZ net * * * Allow ICMP to OPNsense
At least, it should go through the FW.
There's not enough info in this thread to infer what 192.168.11.1 maps to.
Then I was saying that this makes sense (option A):
AB Protocol Source Port Destination Port Description
...
B IPv4+6 * LANDMZ net * RFC1918 * Block LANDMZ to internal # Explicit block of inter-VLAN
A IPv4+6 * LANDMZ net * * * Allow access to everything
This is an alternative (option B):
AB Protocol Source Port Destination Port Description
...
A IPv4+6 * LANDMZ net * !RFC1918 * Allow access to everything except local networks
One big difference is that when it is followed by this:
AB Protocol Source Port Destination Port Description
...
A IPv4 * LANDMZ net * FLUX_IPs * Allow to admin PC only # Isn't the Block RFC1918 rule getting in the way?
Assuming FLUX_IPs is a subset of RFC1918 (give the admin PC description), option A will prevent that rule from going into effect while option B won't.
If that rule was higher up (before the block), it would also work.
So one part of my comments was about some redundancy (block 1918, allow !1918), another was about an unreachable rule (block 1918, allow IPin1918).