OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: chubbymomo on January 12, 2023, 11:12:12 pm

Title: Block firewall rule seems to be ignored in favor of "default" pass firewall rule
Post by: chubbymomo on January 12, 2023, 11:12:12 pm

Edit: It comes to my attention that this is not the correct sub-forum to post issues to... I'm sorry for that, I can't find the ability to delete this or move it over, so I guess it'll stay here.

Hello, I have recently gotten into the whole custom router business. I am attempting to segment my network in a pretty typical way (DMZ, LAN, WAN) because I intend to expose services to the public through the DMZ. I have a VLAN (DMZ) that has the server that will run public services as a client. When I started adding firewall rules I began by copying the default LAN rules to allow access to the internet. Then I created the following rule:

Action: Block
Interface: DMZ
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: DMZ net
Destination: LAN net
Description: Block outbound traffic to LAN

This rule is before the rules I cloned over from LAN. I have also attempted to create a similar rule on LAN that instead blocks anything from the source DMZ net.

Using telnet (on port 9443, a test server) from a client on DMZ to a client on LAN it is able to connect. I then disable the rules that were copied over from LAN and it performs as intended with the exception of having no internet access.

"Default" rules copied over from LAN just in case:

Action: Pass
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: *
Description: Default allow DMZ to any rule

Action: Pass
Interface: DMZ
TCP/IP Version: IPv6
Protocol: any
Source: DMZ net
Destination: *
Description: Default allow DMZ IPv6 to any rule

If it helps, I used "Live View" underneath Log Files and the only rule that was activating was "let out anything from firewall host itself". As far as I know, activating that rule is default behavior, so it seems as if the rule I created is not being triggered at all.

I attempted to solve this issue by myself for the better portion of two days (Reading documentation, and searching alternative sources like these forums) I am sorry if this has been solved a million times before. If you need any more information on how I have the network setup, please ask.

Edit: I solved it... I attempted to use the live view and basically copy how the packet was sent then create a block rule for that. The issue was entirely me misunderstanding "in" and "out" I just had to turn the rule that I had created on LAN to out and it worked.

Title: Re: Block firewall rule seems to be ignored in favor of "default" pass firewall rule
Post by: EdwinKM on January 14, 2023, 09:54:53 am

Can you add pictures? If i understand correctly you make a common mistake. Block at the incoming (physical) port. So at the DMZ interface you block access to LAN. You do not create this block at the LAN interface page.

It is also conventional to create a RFC1918 alias to block all local IPs. So, at the DMZ interface you block destination RFC1918. The advantage: if you create a extra network in the future it is blocked automatically.