OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on August 08, 2017, 09:51:08 pm

Title: Rules for LAN
Post by: Julien on August 08, 2017, 09:51:08 pm
Dear All,
we Have the attached rules applied to the LAN,
however the users can't browse to the internet.
we are using a http proxy
when I create a any to any rules in the top of everything the internet start working.
Can you advise how to get those rules applied and fixed ?

Title: Re: Rules for LAN
Post by: whitwye on August 08, 2017, 10:05:46 pm
Looks like you've got source ports set, where you should instead have destination ports set. An HTTP connection, for instance, can have anything as a source port. But it will have port 80 as the destination port.
Title: Re: Rules for LAN
Post by: Julien on August 08, 2017, 10:49:10 pm
Looks like you've got source ports set, where you should instead have destination ports set. An HTTP connection, for instance, can have anything as a source port. But it will have port 80 as the destination port.
I am not sure I got you.
do you mean specify the ports and not the service ?
like http need to use 80 ?
Title: Re: Rules for LAN
Post by: whitwye on August 08, 2017, 10:55:11 pm
Ports are services are the same thing. So "port 80" and "HTTP" mean the same thing, for instance. But the port applies to the service on the server, not the port the client is coming from. You've got it set so that the client will have to come from port 80 or 443 or whatever to be allowed out. What you want to do instead is set it so that it will allow outgoing traffic from any client port, as long as the destination port is 80 or 443 or whatever remote services you want to allow connections to.
Title: Re: Rules for LAN
Post by: Julien on August 09, 2017, 01:00:07 am
Ports are services are the same thing. So "port 80" and "HTTP" mean the same thing, for instance. But the port applies to the service on the server, not the port the client is coming from. You've got it set so that the client will have to come from port 80 or 443 or whatever to be allowed out. What you want to do instead is set it so that it will allow outgoing traffic from any client port, as long as the destination port is 80 or 443 or whatever remote services you want to allow connections to.
Do you mean I need to change LAN net to any ?
I want to apply those rules on the LAN interface.
Title: Re: Rules for LAN
Post by: Ciprian on August 10, 2017, 03:43:46 pm
Your rules from the images should be like below:

INT / Source   / Source Port / Destination / Destination Port     /   Gateway
LAN / Lan Net /        *         /        *        / 80 (HTTP)              /   *
LAN / Lan Net /        *         /        *        / 443 (HTTPS)          /   *
...
...
...
LAN / Lan Net /        *         /        *        / 587 (SUBMISSION) /  *

Meaning, in most cases, you do the port/ service filtering on the destination port, as source port is randomly established, and is not the same as the service port.

PS I don't mean to offend you, but this is pretty basic (ABC), and as you can see, other people around already gave you this solution, but without examples (as being quite basic stuff, they must have thought it was just a small "typo"/ misplacement!). Are you sure you know what you're doing? Since you said it involves users, and proxies, and so on and so forth, I guess it's about a production environment... If so, maybe someone with deeper knowledge/ experience (better both) might be much more appropriate for a production environment; should you maybe ask for help from a local IT guy/ company?!... Just suggesting!... :)

Anyway, I wish you the best with your network! :)
Title: Re: Rules for LAN
Post by: Julien on August 25, 2017, 03:58:01 pm
Your rules from the images should be like below:

INT / Source   / Source Port / Destination / Destination Port     /   Gateway
LAN / Lan Net /        *         /        *        / 80 (HTTP)              /   *
LAN / Lan Net /        *         /        *        / 443 (HTTPS)          /   *
...
...
...
LAN / Lan Net /        *         /        *        / 587 (SUBMISSION) /  *

Meaning, in most cases, you do the port/ service filtering on the destination port, as source port is randomly established, and is not the same as the service port.

PS I don't mean to offend you, but this is pretty basic (ABC), and as you can see, other people around already gave you this solution, but without examples (as being quite basic stuff, they must have thought it was just a small "typo"/ misplacement!). Are you sure you know what you're doing? Since you said it involves users, and proxies, and so on and so forth, I guess it's about a production environment... If so, maybe someone with deeper knowledge/ experience (better both) might be much more appropriate for a production environment; should you maybe ask for help from a local IT guy/ company?!... Just suggesting!... :)

Anyway, I wish you the best with your network! :)
Thank you for your answer, but i think we misunderstand each others here becasue you come to a conclusion that i dont know about the network or ports.
i am  the IT / network guy. and it appear something was wrong with the firewall a A10 hardware and it been replaced and the firewall rules are working now.
i start the post to check with other if i've missed something but the issue was the firewall and not me or the rules.
people are posting thread to ask for help/share experience not telling them who to hire or how bad/ good  they knowlidge is.
Title: Re: Rules for LAN
Post by: Ciprian on August 25, 2017, 04:30:55 pm
Quote
Thank you for your answer, but i think we misunderstand each others here becasue you come to a conclusion that i dont know about the network or ports.

Sorry, mea culpa!

Quote
i am  the IT / network guy. and it appear something was wrong with the firewall a A10 hardware and it been replaced and the firewall rules are working now.
i start the post to check with other if i've missed something but the issue was the firewall and not me or the rules.

Glad to hear you did find it and did solve it!

Quote
people are posting thread to ask for help/share experience not telling them who to hire or how bad/ good  they knowlidge is.

You are right, I shouldn't have said what I have said, even if it was certainly true, especially since it turns out it's not!

I sincerely apologize for my post, and I truly regret I did cast a dark shadow over your expertise. In spite of having good intentions, this is a situation I am ashamed of generating. Please, one more time, excuse my lack of success trying to be only helpful.

I wish you the best!
Title: Re: Rules for LAN
Post by: Julien on August 27, 2017, 12:46:23 pm
Quote
Thank you for your answer, but i think we misunderstand each others here becasue you come to a conclusion that i dont know about the network or ports.

Sorry, mea culpa!

Quote
i am  the IT / network guy. and it appear something was wrong with the firewall a A10 hardware and it been replaced and the firewall rules are working now.
i start the post to check with other if i've missed something but the issue was the firewall and not me or the rules.

Glad to hear you did find it and did solve it!

Quote
people are posting thread to ask for help/share experience not telling them who to hire or how bad/ good  they knowlidge is.

You are right, I shouldn't have said what I have said, even if it was certainly true, especially since it turns out it's not!

I sincerely apologize for my post, and I truly regret I did cast a dark shadow over your expertise. In spite of having good intentions, this is a situation I am ashamed of generating. Please, one more time, excuse my lack of success trying to be only helpful.

I wish you the best!

Thank you for your aplogies,
we are team and trying to help each others.
hope to be able to help one time.
good luck mate.