OPNsense Forum
English Forums => Documentation and Translation => Topic started by: lar.hed on November 30, 2020, 08:13:42 am
-
When I add a new firewall rule, I get the choice of a few pre defined variables which i have never found the correct definition for. In my case, for the moment I might add, I am using 4 (out of 8 ) ports (interfaces) on my OPNsense firewall hardware:
LAN - 192.168.1.1
WAN_FTTH - DHCP ISP
WAN_LTE - DHCP ISP
WORK - 192.168.2.1
As one might assume I have Multi WAN setup, with failover from WAN_FTTH to WAN_LTE when the fiber fails (I did not expect this to happen, but so it has twice for the last 12 monts....).
So I have a rule on LAN and WORK to redirect DNS (port 53) to local DNS. Now this is where I started to (over-) think this. What am I to enter into the Destination field? First thought was "This firewall" and well it does work. On both LAN and WORK, then for some reason I started to think (again) and changed it to the IP for the interface. LAN = 192.168.1.1 and WORK = 192.168.2.1. LAN worked after this, WORK did not. So WORK I changed back to "This Firewall" and now it works again....
So, again, I started to think (yes I know, it will always create challenges...) what does the pre defined Networks stand for and represent? So a primer for the following would be awesome:
"This Firewall" - is what? 192.168.1.1?
"LAN net" - is anything active on LAN interface, and if it is DHCP active (as it is in my case) somewhere 192.168.1.10-100?
"LAN address" - is 192.168.1.1?
"Loopback net" - is 127.0.0.1? or?
-
"This Firewall" is an Alias for ALL IPs of the OPNsense on all available interfaces.
"LAN address" correct, OPNsense IP for LAN net
Loopback = localhost (https://docs.opnsense.org/releases/18.7.html?highlight=loopback%20net)
-
"This Firewall" is an Alias for ALL IPs of the OPNsense on all available interfaces.
So just to be over specific here, "This Firewall" is, in my case, not only 192.168.1.1 (LAN) and 192.168.2.1 (WORK) but also my two WAN interfaces and the DHCP "generated" IP addresses? ???
-
imho yes. You could have a combination of
ALLOW "LAN IP of your service machine" "LAN address" HTTPS
BLOCK * "This firewall" HTTPS
to allow only one machine (your service machine) to access the GUI of your OPNsense.
An old trick to access pfsense GUI was to enter the WAN IP on a LAN machine, but that should not work for OPNsense, as you can specify the listen interfaces for the GUI (as long as you have more than one interface, iirc).
-
Large Thanks!
Much better now. Still a lot to learn, as always, however this made it much easier!
-
Your "LAN net" must be 192.168.1.0/24 actually...
-
Your "LAN net" must be 192.168.1.0/24 actually...
Yes, of course, .1 to .254. However my DHCP settings for LAN is .10 to .100 in range.
-
Okay, another question about "This Firewall" then. Learning curve I guess...
I run Multi-WAN, and for that I need a gateway group - nothing special about that. However the DNS rule on my WORK interface (192.168.2.1) needs a destination. If I enter "This Firewall" (as I wrote above) it works. If I enter 192.168.1.1 or 192.168.2.1 it does not work. Anyone who can explain why only "This Firewall" works as destination?
-
Not without having a look at your set of rules.
Have you tried "WORK address"?
And if "LAN address" also works, your two networks are not well separated, I guess.
-
WORK address works - and for the record, currently in my test setup (which btw sits behind another firewall) LAN works also - but that happens to be because currently (give me 5 minutes) it is an allow all rule there. I'll get rid of it in a few moments...
Thanks chemlund!
-
A kind of new question: Is there anywhere in the OPNsense GUI that one can actually see all this Alias?
If not, could it nog be added somehow to Alias under FireWall?
-
via Console:
less /tmp/rules.debug
There you can see all firewall rules. Just add a rule like allow 1.2.3.4 to This Firewall, then go into rules.debug and grep for 1.2.3.4
-
less /tmp/rules.debug
Thanks!
(. And now I got direct scared - very pleased that this OPNsense is inside another firewall.... .)
-
It's up to the administrator to make it secure, if you dont set it to one IP alone it's your decision :)