OPNsense Forum
English Forums => General Discussion => Topic started by: klausneil on April 01, 2016, 07:55:01 pm
-
Hi i see a attack in my network LAN, first this attack is from ip taiwan, in my log firewall i see the next (fw.png) please anybody cant teel me how i can put my rule firewqall for deny this attack? because by default the rules is allow all but if i delete this rules and create this
LAN
allow from LAN to HTTP
allow from LAN to HTTPS
allow from LAN to DNS
deny all
I dont have connection, please help me.
-
This is a little bit strange, because in your internal LAN you should not see anything like that - or your setup is broken / open / no NAT. A paket from an external IP should arrive on your external WAN interface and not on your LAN.
Can you give us the IP's from your interfaces (2 to many; eg. from the router dashboard) like:
Interface List
1. WAN (DHCP/static/PPPoE) 134.a.b.c
2. LAN 192.168.x.1 / fd69:cafe:affe::1
3. LAN2 192.168.y.1 / fd96:affe:cafe::1
4. DMZ 10.11.12.1
...
-
well my ip public i dont know but for example (190.20.21.22) and my network is 192.168.15.0/25, This is what you need?
Also i create in WAN allow access to my mail service but i created rule deny ALL
In my LAN i have configured allow lanto http,https, dns and rule proxy
the rest of the lan is deny with a rule deny ALL.
-
Also i create in WAN allow access to my mail service
If you look at your screen shot, you will see that all connections end up at some internalIP:25 - which is SMTP.
But anyway, a SMTP server should be put into a DMZ zone outside any LAN - you should consider changing this. Any straight port forward into a LAN should be seen as a kind of last resort, because breaking this SMTP means breaking into your LAN.
-
You have all the reason, but I dont have other slot un my pc but the opnsense have for create a vlan?
-
What do you mean with "slot"? A free PCI(e)-slot? A free NIC?
Using VLAN on your LAN interface for a DMZ is possible, but needs switches which are able to handle VLAN traffic. You then also need to put your LAN into a different VLAN - which complicates things a lot. VLAN hopping might is a security risk, so be sure not to allow untagged frames on a trunk etc. A VLAN configured the wrong way is even worse than your port forward now.
So, tbh, a real physical interface is still the best - and easiest - way for a DMZ. If you don't already have VLAN's configured (or never have before), a VLAN for DMZ might be a big challenge.
-
Hi, please help me with this, i try configure my opnsense with VLAN for a DMZ, my opnsense have two intefaces (em0-em1), i create a new interface based in my LAN card (em1) this is OPT1 also i create rules in my firewall by allow all traffic and also i create a DHCP server for OPT1 (192.168.10.0/24). I configured my switch TRENDNET and create in the option "Asymmetric VLAN Setting" in the option "VLAN Name" as 100 and "Untag VLAN Ports" as 01,19 ports (01port is the plug that connect the LAN to Switch) but if connect a laptop to port 19 not receive ip address. Why this? please help i try 5 days in resolve this but i don't more idea. Please help me.