OPNsense Forum

English Forums => General Discussion => Topic started by: ricksense on August 14, 2023, 06:07:43 pm

Title: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: ricksense on August 14, 2023, 06:07:43 pm

Hi everyone,

I set two networks (LAN and GUEST) on OPNsense 23.1.11, each on its own interface/subnet (no vlans). I also set redirect DNS rules for both in NAT-> Port Forward:

(https://i.ibb.co/HpW2S49/port-forward.jpg) (https://ibb.co/Pz7YLjV)


They seem to be working but, since I am still new to OPNsense, there is something I haven't understood.

1) First of all, why was the Guest one  set as a "linked rule", and the LAN one not?

2) in fact, in FIREWALL->RULES->GUEST was automatically created a rule, while in RULES->LAN not?  Strange WHY

(https://i.ibb.co/Ntz2qWM/lan-rule.jpg) (https://ibb.co/vV84WLS)

As I said, they both work. Here is the log for the GUEST subnet dns redirect:

(https://i.ibb.co/2hrrz1J/rdr.jpg) (https://ibb.co/Syggk4S)

Could anyone please help figure it out?

Thanks

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: CJ on August 15, 2023, 03:08:33 pm

What does the Filter Rule Association field say for each of your Port Forwards?

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: ricksense on August 15, 2023, 07:17:50 pm

Quote from: CJ on August 15, 2023, 03:08:33 pm

What does the Filter Rule Association field say for each of your Port Forwards?

Oh that field:

(https://images2.imgbox.com/0d/0b/Owq62hEV_o.jpg) (https://imgbox.com/Owq62hEV)

I set it to None now, and the filter rule in the GUEST rule has disappeared.
Anyway is more about understanding what is for and the pros and cons of it.

Thanks

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: Patrick M. Hausen on August 15, 2023, 08:23:25 pm

Normally you would set it to "pass", because you want that port forward do be allowed. Choosing a dedicated firewall rule instead of "pass" lets you set more granular policies if you intend to do so.

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: ricksense on August 15, 2023, 08:39:13 pm

Quote from: Patrick M. Hausen on August 15, 2023, 08:23:25 pm

Normally you would set it to "pass", because you want that port forward do be allowed. Choosing a dedicated firewall rule instead of "pass" lets you set more granular policies if you intend to do so.

That is the point.
Why should I set port forwarding to allow access to my webserver running on my LAN and set the firewall LAN rule (related to it) other than PASS at the same time?
What would be a meaningful example of a granular policy?
Thank you

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: Patrick M. Hausen on August 15, 2023, 08:58:52 pm

Only allowing the access at certain times?
Only allowing for certain source IP addresses (ok, that can be done in the NAT port forwarding rule, already)

Any combination of any idea like these you can come up with.

Title: Re: Port forwarding and linked rule for DNS redirect. Why linked rule
Post by: ricksense on August 16, 2023, 06:40:56 am

The more I practice with OPNsense, the more it will make sense, I guess.
I mean, I will probably run into situations where this feature might come in handy.
Thanks