I've been struggling with setting up some basic firewall rules for hours now. It looks like everything I try is ignored. I have created a WAN interface and multiple LAN interfaces. Routing should be done from every LAN to the WAN, but not between the LANs.
I tried to disable ALL firewall rules on EVERY interface and even added a generic "block everything" rule on one LAN. But I can still send ICMP requests and reach an HTTP server on this LAN from another LAN. The only way I found working was to remove the interface's IP address of the LAN with the HTTP server - so the traffic is definitely flowing through OPNsense.
What is going wrong here? Do you have to explicitly enable the firewall somewhere?
Can you give more details on your setup? Do you use VLAN separation or separate L2 infrastructure?
Bart...
OPNsense is running on Hyper-V 2012. The physical server is connected to the switch via 3 NICs, Teaming is enabled in Hyper-V. The team NIC is assigned to the OPNsense VM with trunking enabled, VLAN separation is done by OPNsense.
I installed OPNsense 16.7 a year ago, did just the basic configuration and added the VLANs, then added "allow everything" firewall rules on each VLAN. It has been running since then, I just did all the upgrades from time to time. Now I'm trying to make the "allow everything" rules a bit more secure...
create an alias LOCALNETWORKS with all your local networks inside.
change the allow rules to destination NOT LOCALNETWORKS
After some more hours of digging and finally setting up another complete environment with different hardware, I was able to track this down: It was working all the time, all I had to do was clear the state table. >:(
I always started by accessing the second LAN, then adding a blocking rule and expecting access to be lost immediately. Connections that are already established are not touched by new firewall rules. Although perfectly valid, this behavior is quite unintuitive - especially if your old firewall was stateless.
Maybe you could add a hint to this somewhere in the GUI to save other people from these hours of frustration?