OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: ictinc on September 06, 2019, 02:11:36 am
-
Hi there,
I'm a long time user of the other FreeBSD based firewall. I have, however, decided to migrate my environment to OPNsense. I am quite new to OPNsense so please bear with me.
I currently have the following setup;
- VMWARE ESXI with one IPv4
- OPNsense with one IPv4 on the WAN interface
- OPNsense with 4 LAN interfaces (10.1.1.0/24, 10.2.1.0/24, 10.3.1.0/24, 10.4.1.0/24)
- OPNsense OpenVPN on WAN interface (local IPv4 10.5.1.0/24)
- OPNsense DMZ interface with /28 public IPv4 and /64 IPv6
- OPNsense GIF interface for IPv6 tunnel to HE.net
- OPNsense using local unbound as DNS/DNS forwarder
My hosting provider (Hetzner) routes my /28 IPv4 subnet to the WAN IP.
With the default setup of OPNsense (eg no manual rules created), OpenVPN and the IPv6 tunnel I'm able to connect to OpenVPN and browse the internet. The same goes for clients on LAN01.
For my DMZ hosts however it's totally different, which I expected.
On the DMZ interface I created a rule to allow outbound IPv4 TCP/UDP traffic from the DMZnet to the OPNsense DMZ interface on destination port 53.
I figured that would be enough to have my DMZ hosts resolve internet hostnames, but it wasn't.
After trying lots of different possibilities I decided to copy the automatically created rules on LAN01.
Allow ANY incoming traffic from DMZnet to ANY, this somehow works.
Why is this though? I would figure to let DMZ hosts resolve to Unbound they would need to be allowed outbound traffic to port 53.
I've come across several similar but different issues in creating rules. While I do get things working I don't like my to use ANY to much and I'd like to understand what it is that I'm doing wrong.
Any help would be much appreciated.