OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: cableguy187 on April 28, 2016, 07:23:57 am
-
Could someone please clarify the alias setup is the same as PFsense?
I had a Steam port block setup and working with PF using an alias with all of the ports listed.
I duplicated that setup in Opnsense but it will not block, even after resetting states...
I have placed the rule in LAN up the top just below the anti-lockout rule..
Could someone please point me in the right direction?
Thanks :D
-
What does your alias look like (type, content)?
-
See screenshot..
I even tried entering the ports as a new rule for 1x host.. Steam was still able to connect.
Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options.
-
Ah, you probably want to remove the source port alias :)
-
Sorry, I don't understand.
If you remove the source port alias, how's it meant to filter the ports?
-
your specifying destination ports, the source port is chosen (random) at the client side.... so this rule will probably never match.
Just try to set the source port to any and leave destination as it was and try again...
-
Tried it, after killing states to the single host Steam is still able to connect..
"Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options."
Any ideas about the other question above?
-
Please try step by step, first you want to block steam by blocking the ports in your list coming from your lan network....
This should be a rule which looks something like :
source address (any), source port (any) dest addr (any), dest port (your alias)
Simple test, add port 80 and 443 to your alias, apply and see if your lan web traffic is dropped.
If you want to drop traffic coming from your wan, create a new rule there doing something similar using the same or a new alias.
-
Yeah, that's what I have done, only difference in what you suggest is I am testing on one LAN IP at the moment.. Not the whole network.
-
This worked.
-
Tried it, after killing states to the single host Steam is still able to connect..
"Also, I created a port forward for my cctv cameras and can access from external WAN, but when I turn on WIFI and connect on the LAN side, it doesn't work. I have enabled 'Pure NAT' in the rule options."
Any ideas about the other question above?
This above worked with PFSense 2.2.5.. I must be missing something, I have looked through my PF configs and have setup OPNSense exactly the same.
If attempting to connect to the public IP from the internal network ( CCTV & alarm system apps ) is there an additional feature I have missed?
-
Fixed the public IP issue.
System/Settings/Firewall-NAT -
One more question..PFSense had an issue with keeping states when a scheduled block was applied. This required a cron task to manually kill off the states after the schedule. How does OPNSense handle states during a schedule change? When are the states cleared? Block or pass?
-
Firewall Schedules are one of the areas we barely touched (GUI only), still queued for an eventual replacement. In this regard I cannot say much about the state of things. I've heard of no issues ever since we started, which may also mean it's not a feature that gets a lot of exposure.
The state should be roughly the same as pfSense 2.2. There's an option for disabling killing states on schedule under System: Settings: Misc which suggest it's doing the right thing already. Did you verify?
But as I said, this part is not maintained, only curated.
-
Firewall Schedules are one of the areas we barely touched (GUI only), still queued for an eventual replacement. In this regard I cannot say much about the state of things. I've heard of no issues ever since we started, which may also mean it's not a feature that gets a lot of exposure.
The state should be roughly the same as pfSense 2.2. There's an option for disabling killing states on schedule under System: Settings: Misc which suggest it's doing the right thing already. Did you verify?
But as I said, this part is not maintained, only curated.
Thanks for the reply. I cut over the new firewall today, still setting up everything.. Will setup the schedules and report back.
I do like the interface over the dated PFsense ;D Way easier to configure.
-
I tried the scheduled block and it worked however, when inverting the rule (set rule to PASS and schedule times to ALLOW) this allowed some services to work but no browsing. I checked the logs and it is blocking 80 & 443 traffic on the associated IP??
Also, states were not broken when the BLOCK rule applied.
Looks like I will still need a cron task to flush states for the IP in the rule?
-
I managed to get this working somewhat by creating the BLOCK rule on the WAN with an associated schedule..
Skype and Utorrent still worked after the BLOCK schedule was active.
Is this do to states not being flushed? If so, any suggestions?
I found this - "#4 - AUTO RESET STATES -
pfSense seems hit or miss on this. You setup rules to throttle bandwidth or shut off internet access but someone doing something a bit meatier like a Skype session will remain connected LONG after the rule went into effect. So, you have to cron job to either reset all states or just reset for a certain ALIAS group. Why isn't that just automatically incorporated into a firewall rule and programmed to comply with the ALIAS of that rule only? Example - Terminate internet access at 11PM for alias - IP ADDRESS GROUP - then a state reset runs and only resets 'IP ADDRESS GROUP' and leaves everyone else untouched. Talk about making the life of an admin easier! High end firewalls terminate when told to terminate. I would think PF and OPN could do this too. "
Has this been looked at?
-
Anyone?
I hope there is a way to flush states or I will have to revert back to PFSense
-
Unfortunately I have reverted back to PFSense..
I did find OPNSense good, well polished and easier to navigate.
Hopefully with the new update my issues are addressed and resolved.
-
Any update on flushing states?
-
If you think this is a problem then I'd suggest your best course of action would be to file a bug report on github: https://github.com/opnsense/