OPNsense Forum
English Forums => General Discussion => Topic started by: jr82 on October 24, 2016, 08:49:39 pm
-
Why do I have to create a rule in the LAN tab and set the destination to "any" to get an internet connection? If I change the destination or delete the rule I have not been able to get through to the internet. I have tryed many different setting in other parts of OPNsense, but no luck.
The only Service I am running is the DHCP Server.
-
Can you add more details, please? Nobody can help you without knowing your rules. For example which destination? Did you think about other protocols you may need too (DNS for example for name resolution)?
-
Thank you for your reply... I have uploaded some images of settings.
-
Why do I have to create a rule in the LAN tab and set the destination to "any" to get an internet connection?
Most serious Firewalls disable any connection (in AND out) by default and you have to enable it by eg. such a rule.
Most SOHO plastic routers have a simular rule but you never see it (allow LAN to any) and can't disable it - which is not a good idea in controled enviroments like schools, companies and such.
It's just a matter of default presets.
-
I do understand that, but why can't it be set to "WAN address" or WAN Net". Why does it have to be "any"?
-
WAN/WAN net is not equal "the Internet", it is - in terms of IP-addresses - only the WAN IP address or the local WAN network (which is normally something like 1 to several IPs).
"The Internet" uses millions of different subnets. If you want LAN to access "the internet", you have to allow access to _every_ subnet that is used in the internet.. which is quite a bunch of rules... ^^
Or you simply use "any" (or 0.0.0.0, which means the same and is used in e.g. routing).
-
I guess I am not understanding the terms "LAN net" "WAN net" "LAN Address" "WAN Address" "Any". I know what my LAN network address(s) is/are, and I know what my WAN address is, and I am guessing LAN net is = to my LAN network address 192.168.1.0/24 so I thought that "WAN net" would give me access to the out side world. It would seem in the NAT setup that the "WAN Address" setting does allow you to access the out side world so a thought I could apply the same logic to the Rules. But, it is clear that the terms do not relate.
If some one could point me in the direction of the meaning of these terms in relation to OPNsense and it's settings it would be very helpful. I would like to make sure I have my setting correct.
-
An IP network is described - more or less - by 2 things: an IP address and a subnet mask.
Normally, a typical LAN network is eg. 192.168.2.0/24 and has eg. 192.168.1.1 as default gateway (the /24 also says, that .255 is broadcast and .0 is "the net itself", therefor you can't use .0 or .255 in a normal /24 (= 255.255.255.0) LAN). So a host may have the IP 192.168.1.65 as its LAN address and the LAN net(work) will be 192.168.1.0/24.
These 2 things are true for every network, no matter how large or small they are, also for point-to-point networks, which only have an IP address and a subnetmask but no broadcast and network address. So, a PPP dialup connection will have an IP-address (= WAN IP addess) and a WAN network - which is in this case normaly 255.255.255.255 = only 1 IP address and is therefor often forgotten/ignored. Other types of WAN connections may use other subnet masks like 255.255.255.248 and if your WAN IP address is 20.30.40.50, the WAN net(work) will be 20.30.40.48 (network) to 20.30.40.55 (broadcast) or 20.30.40.48/29.
So, the alias "WAN net" will only be useful if you have more than one IP on your local WAN network and you want eg. define a rule for other local hosts inside this network, i.e. 20.30.40.49/51/52/53/54. Most connections use PPP(oE/A) or DHCP and will not have a useful "WAN net" (because it will be the same as the 1 IP address).
Or, in short: the $interface net = the network defined by the $interface's network mask
"any" is just what anyone would suggest: any IP address (often written as 0.0.0.0), so, in case of your firewall, LAN net + WAN net + $any_other_interface net + every other IP outside your network + any special network ranges like 10.0.0.0/8, 224.0.0.0/8 etc.
-
Thank you for the large write up!
Most of what you said reaffirmed what I already know. Although, some of the info about connections and WAN addresses I did not know.
So .... this would be true?
LAN Address = 192.168.1.X
LAN nat = 192.168.1.0/24
WAN address = (from ISP) +connects you to out side world or just out side your router+
WAN net = (IP's from networks out side your router or ISP) +connects you to outside your router+
any = all of the above
If this is true I should be able to use - WAN address, WAN net, or Any
-
no, wan net is the network used for your wan connection but it does NOT include any network behind the next router (just the direct connected network)
-
I know what your saying... But I am talking in terms of reaching out side my internal network (LAN). If WAN = the address from your ISP "The Internet" and net = a group of address, than you would think that the "WAN net" would = a group of WAN addresses including your ISP's - if your ISP's given address is connected to the WAN port.
Anyways, I would like to get back to the question... You can correct me all day and I am sure you could do it all night but if I had your knowledge on the subject I probably would not be asking the question.
[Why do I have to create a rule in the LAN tab and set the destination to "any" to get an internet connection?]
Lets assume all other settings are at default.
-
Because you do not know the exact destination. The only thing you know is that if it is in the internet, it is not a RFC 1918 IPv4 address.
You can create an alias containing all your networks and create a rule which allows traffic to any address, which is not in this alias (which then should be the rest of the world).
You an also use an alias for specific domain names so you can allow traffic to only this site (but the others are still blocked).
Rules depend on your policy and if it says that you are not allowed to communicate to the internet, you will write rules that block any traffic to the internet. Firewalls usually use white listing so if you do not say something different, it is not allowed. If you want to talk to any server in the internet, you will need a pass rule, that allows talking to any server in the internet.
-
Ok... I thought under "Rules > LAN tab" Was used to control any LAN address (192.168.X.X/24) to any thing including the internet (ISP) and internal network (My Network). I also thought the "Rules > WAN tab" controlled anything coming in the same way.
I was going to create 2 different rules... One controlling LAN (My Network) to LAN (My Network) and one controlling LAN (My Network) to the internet (ISP)
I thought using Alias to create Rules worked the same way, but that you could fine tune the addresses you wanted to associate to that rule.
------------
At this point I am starting to second guess all of my setting including my Traffic Shaper settings. Although, the information in the help file seems to be pretty strait forward. I am pretty sure Outbound and Port Forward settings are right because I only get the effect I want when they are enabled (Gaming) - I don't use UPnP.
I have read plenty of info from the help file and posts from this blog that has helped me set most settings, I think, but I was unable to find anything on this one setting so that I would asked.
-
If you define a rule in an interface tab, it will add a match to check, if the packet comes in on this interface. The network is usually one you get with the alias. The only exception would be, if one or more routes are in this network with source NAT disabled. If this is the case, you will have to add static routes or install and configure a routing daemon.
-
well, thank you for responding to my question.
The only thing that works seems to be "Any" so I guess I am just going to leave it because I am happy with my other settings and feel that I have a good understanding of them. Also I have tried lots of completely different setups to the same affect.
I really enjoy OPNsense and the fact that it has a very active community and the most attractive interface on the block.
-
If you just want to the interface to go out, set a rule to deny access to any other subnet/interface except WAN (you can set an alias or group) just above the to "Any" rule and it will only allow to go out. In addition you can set some specific rules on top of these if you'd like to let some access to other interfaces.
-
Why do I have to create a rule in the LAN tab and set the destination to "any" to get an internet connection?
Most serious Firewalls disable any connection (in AND out) by default and you have to enable it by eg. such a rule.
Most SOHO plastic routers have a simular rule but you never see it (allow LAN to any) and can't disable it - which is not a good idea in controled enviroments like schools, companies and such.
It's just a matter of default presets.
If we want to use the transparent proxy and enabling only the firewall ip address to any rule also not working.
If we enable LAN to Any rule. some programmes like ultrasurf will bypass the proxy/firewall. could you please give some suggestions to tackle this situation.