OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Senjuu on March 08, 2019, 10:33:39 am

Title: Firewall rules not working
Post by: Senjuu on March 08, 2019, 10:33:39 am
I recently switched to OPNsense.
I now setup some firewall rules for LAN, but  they are not working as intended.

My rules are in this order

ActionProtokollSourcePortDestinationPortGatewayScheduleDescription
PassIPv4 TCP/UDPLAN net*Ali443*Allow Https of Ali
PassIPv4 TCP/UDPLAN net*Ali80*Allow Http of DMZ
RejectIPv4 *LAN net*DMZ net**Deny everything else in DMZ
PassIPv4 *LAN net****Allow Internet
PassIPv6 *LAN net****Allow Internet

"Ali" is an alias to an URI(IPs) within DMZ and DMZ is a third network interface.
The rules result in me being able to surf in the internat, but not acces the Web-Server running on "Ali".
But when I disable the third rule I am able to access the Web-Server running on "Ali".

Now I am not understanding where I am going wrong.
Title: Re: Firewall rules not working
Post by: RGijsen on March 08, 2019, 10:44:57 am
Check firewall --> log files --> live view, if you want setup a filter to your DNS address, and connect again. Then you'll see whether opnsense blocks or something else is wrong. Is the DMZ host actually using opnsense as a gateway to get the traffic back?
Title: Re: Firewall rules not working
Post by: Senjuu on March 08, 2019, 10:56:26 am
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.
Title: Re: Firewall rules not working
Post by: RGijsen on March 08, 2019, 11:22:13 am
Quote from: Senjuu on March 08, 2019, 10:56:26 am
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.

I just re-read your post, and I can't see you state DMZ can actually send back. For test, what happens if you replace the Ali alias with the actual IP? Please check in firewall --> diagnostics --> pftables and select the ALI alias. Check if there's actually any hosts in there. Just to be sure, did you put IP's or FQDN's in the alias?
Title: Re: Firewall rules not working
Post by: Senjuu on March 08, 2019, 11:36:16 am
In the alias I put the IP. In the pftables there was notinh in the "Ali" Alias. After I added the correct IP in the pftables the rules are now working.

But what type shall I select when adding an alias in Firewall => Alias, so that it is correctly added to the pftables.

Title: Re: Firewall rules not working
Post by: Senjuu on March 08, 2019, 08:44:30 pm
Through a coincidence I found which type of alias I should have used.

I should have used "Host(s)" instead of "URI(IP)".