Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: tdalej on December 17, 2025, 08:23:07 PM

Title: Firewall rules/orders for dummies
Post by: tdalej on December 17, 2025, 08:23:07 PM
I just upgraded to 25.7.9_7 and adjusting networks afterwards. 

I have separate physical subnets for various purposes.
One I use for all WIFI and a security camera NVR.
I need _one_ camera on  LAN40 to talk to the NVR on LAN40.
I had the Wifi subnet isolated from the other subnets by the 3rd and 4th rule (successfully I thought).
I tried adding the top two rules for any protocol/any port between 192.168.20.70 and 192.168.40.5
I'm missing something because the block tot eh subnet appears to be working, but the rules prior to that do not.
I'm not sure what I'm missing here, but if anyone can explain it to me like I'm a dummy, I'd appreciate it.


                Automatically generated rules    
      IPv4 *    192.168.20.70/24    *    192.168.40.5/24    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/24    *    192.168.20.70/24    *    *    *       Out Rule for Security Camera    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block out to private subnets rule    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block in to private subnets rule    
      IPv4 *    WIFI net    *    *    *    *    *       Default allow WiFi to any rule    
Title: Re: Firewall rules/orders for dummies
Post by: chemlud on December 17, 2025, 08:38:42 PM
rule 1 and 2: /32 instead of /24

why OUT rules? normally only IN needed. IN with respect to the interface....
Title: Re: Firewall rules/orders for dummies
Post by: Patrick M. Hausen on December 17, 2025, 08:40:57 PM
If both devices are on LAN40 you do not need any rule.

If they are not and this is just a typo, you need one rule on the interface with the device that initiates the connection. So that depends on if the camera pushes to the recorder of if the recorder pulls from the camera.

Direction: in
Source: device initiating the connection /32 (!)
Destination: target device / 32 (!)
Title: Re: Firewall rules/orders for dummies
Post by: tdalej on December 17, 2025, 09:58:02 PM
NVR is on LAN40 and the camera in question is on LAN20.
LAN40 is used for things that I don't want to have access to the other networks.
Putting that one camera on LAN40 would cost another POE injector, and I already have a POE switch in that location on LAN20 ...

I added out and in rule because I need to be able to register the camera to the NVR and it needs bi directional traffic?
The rules right below block all traffic between those networks if I understand them correctly.

changing to /32 from /24 made no difference. 
Do I need to disable and reenable, or reboot?
Text only | Text with Images