Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: s3b0 on October 03, 2025, 11:45:04 AM

Title: Block all trafic from alias (ip range)
Post by: s3b0 on October 03, 2025, 11:45:04 AM
Hi,

I'm trying to block all traffic from ip range(via alias) but nothing is working - didn't have this problem on my prevoiuse firewall, but with opnsense i can't make it work, maybe i'm missing something.

IP range for block is 192.168.2.50-192.168.2.59 (alias: Cameras, type of alias is Hosts)
Screenshot_20251003_113607.png

From desperation i made redundant rules in WAN and LAN interface:
Screenshot_20251003_113916.png
Screenshot_20251003_114008.png

But - even - after resetting States, opnsense shows me
Screenshot_20251003_114150.png

and one of my crap cam is still connected to its cloud.

What i'm doing wrong?

Title: Re: Block all trafic from alias (ip range)
Post by: Patrick M. Hausen on October 03, 2025, 11:52:30 AM
The cameras are connected to LAN, right? To block traffic from the cameras to the Internet the rules needs to be:

Action: block
Interface: LAN
Direction: in
Source: cameras
Destination: any

The packets from the cameras are coming IN through the LAN interface when you picture a little daemon sitting inside the firewall watching the traffic.

That's explained in the documentation:

https://docs.opnsense.org/manual/firewall.html#direction

You practically never use "out" rules.
Title: Re: Block all trafic from alias (ip range)
Post by: s3b0 on October 03, 2025, 04:35:41 PM
Thx - fixed thanks to you.

So i should consider directions way different, "in" is from my net(into internet) and "out" is to my net(from internet)?

Like this:
Internet -> Out rule of Wan -> Out rule of LAN -> LAN
Internet <- In rule of Wan <- In rule of LAN <- LAN
or like this:
Internet -> In rule of Wan -> Out rule of LAN -> LAN
Internet <- Out rule of Wan <- In rule of LAN <- LAN

??
Title: Re: Block all trafic from alias (ip range)
Post by: meyergru on October 03, 2025, 05:04:23 PM
Not exactly - the direction is from the interface's Point of view. It is explained in the documentation.
Title: Re: Block all trafic from alias (ip range)
Post by: Patrick M. Hausen on October 03, 2025, 09:33:48 PM
Quote from: meyergru on October 03, 2025, 05:04:23 PMNot exactly - the direction is from the interface's Point of view. It is explained in the documentation.

To elaborate on that - as I wrote picture a little BSD daemon [1] sitting inside your firewall. When a client on LAN initiates a connection to "the Internet" the first packet the daemon sees is coming in from the LAN interface.

If you want to publish an internal server to be accessible from the Internet, the first packet is coming in from an arbitrary system on the Internet to the WAN interface.

You really need to picture packets and the interfaces they pass through.

[1] https://en.wikipedia.org/wiki/BSD_Daemon
Title: Re: Block all trafic from alias (ip range) [Solved]
Post by: s3b0 on October 08, 2025, 05:46:33 PM
Got it - thx :)
Text only | Text with Images