OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Dicolla on December 19, 2018, 12:36:27 am

Title: How to configure a "Policy Routing" without compromising the firewall rules ?
Post by: Dicolla on December 19, 2018, 12:36:27 am
As I understand, the "Firewall->Rules->LAN" defines ( for instance ) if a TCP port is allowed or not,  AND also  for which WAN this rule should use to validate the rule. Besides this, this rule in fact also determines the WAN output routing.

I have a MULTI-WAN configuration only to implements a "failover" approach, using my 3 uplinks of output. So I have a main UPLINK ( tier-1 ) defined and the others as tier-2 and tier-3.

When I define a "Firewall->Rule->LAN" I use my MULTI-WAN  group as "the gateway". No problems until now...

My difficult happens when I need to specify that a specific DESKTOP ( LAN->IP) should use a specific route to one of my WAN links, thus ignoring my MULTI-WAN configuration.

The only way I could find to do this in the OpnSense is creating a rule with the field "Source" that contains the DESKTOP LAN-IP and using my specific WAN link as "the gateway". ANd the also setting the WAN output routing.

But now all my hundreds of the regular rules which use my MULTI-WAN group as "the gateway" are ignored because this DESKTOP rule in fact also determines which features are released. And I would not want to duplicate all of my regular RULES only because I have a different "gateway".

In Opnsense, the "Firewall-Rule" assign  the resources to be allowed AND also determines the routing. Do we have a way to separate the "Policy Routing" from the  "Outgoing traffic" rules  ? So first the system compute the route and then check all the Firewall rules ?



Title: Re: How to configure a "Policy Routing" without compromising the firewall rules ?
Post by: mimugmail on December 19, 2018, 06:10:09 am
No, this is the logic of pf in FreeBSD. Only first rule matches. But when you set one source IP I dont know why all other breaks?
Title: Re: How to configure a "Policy Routing" without compromising the firewall rules ?
Post by: Dicolla on December 19, 2018, 01:22:50 pm
Maybe this post explain better my problem ( https://www.netgate.com/docs/pfsense/routing/bypassing-policy-routing.html ):

The Multi-WAN capability of pfSense uses the route-to functionality in pf to direct traffic out via specific gateways. Rules that match traffic to send connections out a specific WAN can cause local or VPN traffic destinations to exit the firewall WAN rather than following local routing, which is likely not the intended effect.

To ensure proper delivery of local or VPN routed traffic, or other external traffic that must obey the system routing table, rules must be crafted to pass the traffic without a gateway set.


And probably it also tell us a solution....I'll check....
Title: Re: How to configure a "Policy Routing" without compromising the firewall rules ?
Post by: Dicolla on December 19, 2018, 07:53:05 pm
Unfortunately this last information I posted it is not useful...

Let me explain in details my problem. Maybe I am choosing the wrong way to build my Firewall rules.

In fact I an trying to migrate all my Firewall rules from my current Firewall ( Endian Firewall ) to OpnSense. And some concepts seems to be hard to migrate.

In my current Firewall I have a section in which all the allow rules are defined ( Firewall -> Outgoing traffic ). I define, for instance, the ports my LAN NET can used to make connections. No implicit route. Only a set of filter rules. The default is using my main WAN as the output link to Internet.

And I have another section ( Network -> Routing -> Policy Routing ) which I can define a rule for some cases where I need to explicit define another route to be used by some Desktops, usually I defined to use another WAN ( the secondary one or some special WAN ) different than the default. In other words, routing and firewall rules are different things and when I used a route to an another WAN  all the firewall rules still active and functional.

In OpnSense I am now building the system this way:

1- I have two different WANs, so I configured a MULTI-WAN named "FAILOVER-WAN" and set my WAN1 as tier1 and my WAN2 as tier2

2-My "Firewall->Rules-Lan" have the rule "Default allow LAN to any rule" disabled. Therefore I must explicitly define the resources that are allowed to be used. For instance, I define a rule to allow the use o port 80 and 443. And the gateway of this rule is "FAILOVER-WAN". No matter which WAN is really active ( WAN1 or WAN2 ) the rule is valid. And in this case if my user try to use a FTP PORT 21 it will not be allowed.

3-But now I have a Desktop from my LAN NET that for some reason needs to use only the WAN2 link. Not the default first option of my "FAILOVER-WAN". No matter if the WAN1 is active or not. This Desktop need to use only the WAN2. But I do not have a "routing section" like I have in my current firewall today. As I understand I need to use a another "Firewall->Rules-Lan" only to define this specific route to this Desktop. So I created a rule with a different gateway ( WAN2, not more the WAN group ) and the field "Source - single host or Network" with the IP of this specific Desktop. I put this rule BEFORE the "generic rule" I described before. Works...but I have a problem now. I need to duplicate for each "generic rule" defined the same options for this special DESKTOP rule. So I will have a generic rule allowing the use of port 80/443 to FAILOVER-WAN and a specific rule also allowing the use of port 80/443 for this DESKTOP IP and using WAN2. If tomorrow I need to create a new generic rule allowing the FTP PORT then I also need duplicate the work creating a new rule for this special DESKTOP.

Do I have another way to solve this problem using OpnSense ?

Is it possible define a set of rules linked to a MULTI-WAN e use the same rules eventually assigned to other gateway-WAN without duplicating the service.  I have now hundreds of rules as basic/generic set of Firewall rules and 3 or 4 special DESKTOPS which needs to use a different explicit WAN and now I can not see a solution using Opnsense