OPNsense Forum
English Forums => General Discussion => Topic started by: comet on November 25, 2017, 12:34:32 am
-
What I would like to know might be common knowledge for some of you, but since I am very new to OPNsense I don't know how to do this. What I would like to do is restrict access TO and FROM a particular device on the network to the local network only. I don't want anyone on the Internet to be able to connect to it, which I assume is the default unless you make a specific rule to forward ports to it. BUT, I also don't want it to be able to make an outgoing connection to anything outside the local network. So far, is that possible, and if so how would I do that? The device does have a fixed IP address on the local network.
If that is possible, then the second part is, this device periodically sends a status email to me and therefore it needs to connect to my ISP's mail servers using SMTP. This is an address of the form smtp.mailserver.com. So if possible I want it to be able to connect to that one specific address, and that address only.
In other words, I want it to have open access to and from the local network (everything connected to the LAN port), but to basically not know the Internet exists except for the mail server. How would I do that in OPNsense? Or is it even possible? Thanks in advance for any help with this!
-
P1)
That works - just don't create a firewall rule that passes traffic to it. If you want all other computers in the same network segment to have unrestricted access, you need to add rules like them before them
1.
type: pass
source ip: device
destination: your local network
protocol: any
source port: any
destination port any
2.
type: block
source ip: device
destination: any
protocol: any
P2)
You can use the fqdn as an alias and use that in a pass rule for SMTP for this host as a destination.
-
Thank you. I assume you are talking about doing this in the Firewall: Rules, LAN tab, correct? There is already a rule there to pass traffic, the "Default allow LAN to any rule". So do I assume the rules are checked in top-down order? If so, wouldn't I want to order the rules this way?
1. pass from the device to the local network
2. pass from the device to the specific external address
3. block all traffic from the device to any - this would block anything not explicitly allowed in the first two rules (I would think).
4. the existing "Default allow LAN to any rule"?
-
If on the lan you make rules for your device's IPs in this order, above all other rules, it should be ok.
Allow the device to/from your local/24
Then allow the device all to/from your mail server's IP
Then block all to and from that device's IP.
In this order.
Finally, the pass all to/from on LAN rule
Its pretty much what you typed above, but remember. To and From. Not just one or the other.
If you already figured it out, sorry for the repeat.
-
Its pretty much what you typed above, but remember. To and From. Not just one or the other.
Well, now you have just totally lost me. I had assumed that all traffic FROM the internet was blocked by default unless you opened a specific port forwarding rule. In other words, by default, nobody can just ssh into a machine on your local network even if they somehow have obtained your username and password, as long as you haven't forwarded port 22 to that machine. That's kind of the whole point of having a firewall, to block all incoming traffic except that which you explicitly allow and forward to a machine on your network, right?
So what am I missing here? What other kind of "from" traffic would I need to create a rule to block, and how would I create such a rule? I don't want ANY incoming traffic from the Internet to go to this machine, other than the handshakes with the ISP's SMTP server, but I thought that was the normal condition.
-
All traffic on every interface, including the LAN is block, both to and from without rules.
Take a look at the default LAN rules. Allow any protocol. Any Source. Any Destination.
You know... I've never tried port forwarding from the WAN to a LAN with no allow rules on the LAN.
I wonder what that might do?
But yeah - Like you said. Without added rules, everything starts out totally blocked.
-
If your device on in tha LAN initiates traffic to a device on ANOTHER subnet (might be local, on your router, with different interface, or on the "internet", i.e. via the WAN) a STATE is initiated. This means that for the respective traffic in the opposite direction, no firewall rule is necessary.
LAN-device -> ask site on Internet
Firewall creates STATE
Internet site answer -> goes through to device on LAN (although you have a "BLOCK any any" rule on your WAN interface)
That's why the Sense is called a STATEFULL firewall.
What xinnan wrote is correct, I have it for some machines:
ALLOW port IMAP source:specific IP target:any
ALLOW port SMTP source:specific IP target:any
BLOCK any port source: specific IP target:any
ALLOW ANY port source:LAN net target:any
Will allow only email for the specific IP and allow any IPv4 traffic for the rest of the LAN subnet. You can specify more protocols even for the rest of the LAN interface, if you want... ;-)
-
All traffic on every interface, including the LAN is block, both to and from without rules.
Take a look at the default LAN rules. Allow any protocol. Any Source. Any Destination.
You know... I've never tried port forwarding from the WAN to a LAN with no allow rules on the LAN.
I wonder what that might do?
But yeah - Like you said. Without added rules, everything starts out totally blocked.
Okay, thanks for clarifying. But the default LAN rules are not "Allow any protocol. Any Source. Any Destination." At least they were not when I set this up. Instead they are the "Default allow LAN to any rule", which would mean "Allow any protocol. LAN Net Source. Any Destination." There was no default rule allowing all incoming traffic from the Internet, and it wouldn't really make sense to have the type of rule you mentioned, because the incoming packets still would not be directed to any specific device on the network. For incoming packets it would be like sending a letter to someone in Japan and just putting "Japan" as the address. The Japanese postal service would have no idea what to do with it, so it wouldn't go anywhere.
-
If your device on in tha LAN initiates traffic to a device on ANOTHER subnet (might be local, on your router, with different interface, or on the "internet", i.e. via the WAN) a STATE is initiated. This means that for the respective traffic in the opposite direction, no firewall rule is necessary.
LAN-device -> ask site on Internet
Firewall creates STATE
Internet site answer -> goes through to device on LAN (although you have a "BLOCK any any" rule on your WAN interface)
That's why the Sense is called a STATEFULL firewall.
What xinnan wrote is correct, I have it for some machines:
ALLOW port IMAP source:specific IP target:any
ALLOW port SMTP source:specific IP target:any
BLOCK any port source: specific IP target:any
ALLOW ANY port source:LAN net target:any
Will allow only email for the specific IP and allow any IPv4 traffic for the rest of the LAN subnet. You can specify more protocols even for the rest of the LAN interface, if you want... ;-)
Good, thanks. Although in your example you don't appear to be allowing local network traffic, and you are allowing IMAP (which I wouldn't need, since this device only sends mail, it doesn't receive it). So it is a little different than what I want to do, but at least your example sort of confirms what I was thinking about how this would work after reading fabian's post. Also your default rule is the same as what I have, so it makes more sense to me.
-
There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other.
-
There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other.
This is why this stuff is so confusing to me. I have now received two directly contradictory responses: fabian's reply above indicated that I do need a rule to allow traffic to other devices on the LAN, now you are in effect saying I don't.
I hate to phrase it this way, but I'd really like to know: Who is right?
-
I hate to phrase it this way, but I'd really like to know: Who is right?
You do not need any rule for your PCs to talk to each other on the LAN if they are all in the same subnet. All my machines can talk to each other quite happily.
-
Okay, so what I did was this:
Defined the machine I want this to apply these rules to as an alias, using the host IP address (I did this because I decided I actually wanted the same rule to apply to two machines on the network, so using an alias let me specify both).
Defined the mail server as an alias, using the host address of the mail server. As I noted it is in the form smtp.mailserver.com so I hope that actually works, and that OPNsense can resolve it correctly.
Under Firewall: Rules (LAN tab) made two rules:
An ALLOW rule with the source set to the machine alias, and the destination set to the mail server alias.
A DENY rule with the source set to the machine alias, and the destination set to any.
The above rules are below the Anti-Lockout Rule and before the Default allow LAN to any rule.
I guess I will know if it works if I get the next email it sends. I was still able to access the system from the local network, so I guess you really don't need a specific rule to allow that. Thanks to all who posted here and helped me understand this!
Edit: It didn't work! The blocking part worked fine, but sending test emails from the machine in question didn't work. I finally figured out that I had to use the dotted IPv4 address both in the router alias, and when specifying the mail server on the machine itself. If I used the smtp.mailserver.com form of the address it didn't work. Which is weird, because the machine is set to use the DNS server in OPNsense (so, a local address) but for some reason it apparently still couldn't resolve the address. Yet if I use nslookup (on a different machine) and it goes to OPNsense, it gets the correct IPv4 address with no problem. Don't get it, but oh well. I just hope that mail server address doesn't change often.
-
If you want to manage a single host/ IP address with rules regarding also the traffic from LAN (not only WAN), then you have to isolate that host/ IP address to a different broadcast domain (meanining, another LAN - let's say LAN2 - interface with another subnet).
This is the only way to ”force” through OPNsense, for that specific host/ IP address, the traffic from/ to anywhere, LAN1 and WAN.
Otherwise, only WAN (to/ from) traffic for that host will pass through OPNsense, hosts in the same subnet/ broadcast domain will pass through the switch(es) only.
Cheers!
PS Of course this implies, for fine tuning, performance and best practices, either different VLANs configured on the level 2 managed switch(es) and OPNsense for those different internal LANs, or different switches for those different interfaces/ broadcast domains (or that particular host/ IP address directly plugged in another OPNsense NIC). But, if you don't have either of these, then it works even with no different switches/ VLANs/ dedicated NIC on OPNsense, giving the fact that you will have some extra broadcast traffic in your network.
-
One thing to keep in mind when making all these rules and assuming that everything on the switch can talk to anything else on the switch is that assuming for instance we are talking about 192.168.1.0/24 and pfsense LAN is maybe 192.168.1.1 and everything else is .2 - .254
The rules you put (or don't put) on the LAN firewall will impact the host's ability to communicate or not communicate with 192.168.1.1, which is pretty important.
But yeah - A dumb switch is a free-for-all, which is not always a bad thing, but can be.
-
If you want to manage a single host/ IP address with rules regarding also the traffic from LAN (not only WAN), then you have to isolate that host/ IP address to a different broadcast domain (meanining, another LAN - let's say LAN2 - interface with another subnet).
This is the only way to ”force” through OPNsense, for that specific host/ IP address, the traffic from/ to anywhere, LAN1 and WAN.
Otherwise, only WAN (to/ from) traffic for that host will pass through OPNsense, hosts in the same subnet/ broadcast domain will pass through the switch(es) only.
Cheers!
PS Of course this implies, for fine tuning, performance and best practices, either different VLANs configured on the level 2 managed switch(es) and OPNsense for those different internal LANs, or different switches for those different interfaces/ broadcast domains (or that particular host/ IP address directly plugged in another OPNsense NIC). But, if you don't have either of these, then it works even with no different switches/ VLANs/ dedicated NIC on OPNsense, giving the fact that you will have some extra broadcast traffic in your network.
Not a single word of that made a bit of sense to me. But keep in mind, the method described in my previous post works fine except for the fact that the device I'm limiting outgoing access to can't seem to resolve the address of the mailserver. As long as I use the dotted IPv4 address at both the machine and in my alias, it works.
It just confounds me how so many people who have been using OPNsense far longer than I seem to have such very different ideas of how things work. Is it really that hard to grasp?
-
One thing to keep in mind when making all these rules and assuming that everything on the switch can talk to anything else on the switch is that assuming for instance we are talking about 192.168.1.0/24 and pfsense LAN is maybe 192.168.1.1 and everything else is .2 - .254
The rules you put (or don't put) on the LAN firewall will impact the host's ability to communicate or not communicate with 192.168.1.1, which is pretty important.
You've just described my setup exactly. So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)? I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.
-
It is. But with so much talk of how nothing on the switch needs to be explicitly allowed, just throwing in the reminder not to break connectivity with opnsense LAN by accident.
-
You've just described my setup exactly. So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)? I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.
Consider your OPNsense kind of "personal firewall" for the LAN port at 192.168.1.1. So if your sense is your DNS server, allow port 53 on 192.168.1.1 from LANnet. Done.
If your DNS server is on another machine on the LAN, which has such a personal firewall enabled, you would need a firewall rule on THIS personal firewall, to reach your DNS server.
If you run further services for your LAN on the sense, YMMV... ;-)
-
You've just described my setup exactly. So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)? I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.
Consider your OPNsense kind of "personal firewall" for the LAN port at 192.168.1.1. So if your sense is your DNS server, allow port 53 on 192.168.1.1 from LANnet. Done.
If your DNS server is on another machine on the LAN, which has such a personal firewall enabled, you would need a firewall rule on THIS personal firewall, to reach your DNS server.
If you run further services for your LAN on the sense, YMMV... ;-)
Ai yi yi... my head is spinning.
The one and only DNS server on the LAN is OPNsense at 192.168.1.1
The machine for which I've blocked outbound communications seems to have no problem communicating with any other machine on the local 192.168.1.x network (which is what I want). According to you, "There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other." And phoenix said, "You do not need any rule for your PCs to talk to each other on the LAN if they are all in the same subnet. All my machines can talk to each other quite happily."
192.168.1.1 is in the same subnet as all the other machines, which is the ONLY LAN subnet in this OPNsense installation. So, if it is as you and phoenix said, then I fail to comprehend why a separate rule would be needed to allow access to the DNS server that is part of OPNsense.
I know you guys are thinking about all the possible implications of having multiple subnets and such but I don't have anything nearly that complicated - for the most part I've just been trying to emulate the operation of a standard off-the-shelf router, but maybe trying to do a couple of extra things if I can get them to work. I would have thought that this would have been REALLY SIMPLE but now it has turned into a two page thread with a lot of conflicting information, and posts I don't understand at all.
I'm beginning to think no one really understands OPNsense, and we are all just guessing and making it up as we go along?
So anyway, to be clear, I have ONLY ONE LAN subnet, in the 192.168.1.x range. And my only question now is, if it is impossible to keep devices in the same subnet from communicating with each other using the OPNsense firewall, then why would any machine on the LAN not be able to access the OPNsense DNS server at 192.168.1.1?
-
Well, lets say you have 10 devices on the lan switch and opnsense is one of them.
The opnsense is usually providing DHCP services for all the devices on that lan switch.
So lets say you start thinking "Why do I even need this default allow rule?". So you delete it.
Suddenly no device on the lan switch has access to the dhcp service and they are not allocated IPs.
They also get their DNS from the opnsense LAN by default... But without that default allow rule they can't.
So, can all the devices on the LAN switch talk to each other no matter what you do with the opnsense firewall rules?
Sure - But you usually need services on the opnsense, and thus you need at least the default rule.
So, even though you can't keep 10 devices on a dumb lan switch from communicating with firewall rules on the LAN so that DNS is broken, DHCP is broken, etc etc.
So, just be sure to always allow every client access to all the services you need that run on the opnsense.
Reading your initial question, to me, it sounds like you just need a couple of simple rules applied to the lan firewall for one single IP. Doesn't need to be to complicated.
-
Well, lets say you have 10 devices on the lan switch and opnsense is one of them.
The opnsense is usually providing DHCP services for all the devices on that lan switch.
So lets say you start thinking "Why do I even need this default allow rule?". So you delete it.
WHAT default allow rule are you talking about? I am aware of no specific default allow rule for DNS, and if you are talking about the default allow LAN to any rule, if I understand correctly deleting that would completely disable your ability to access the Internet.
Suddenly no device on the lan switch has access to the dhcp service and they are not allocated IPs.
They also get their DNS from the opnsense LAN by default... But without that default allow rule they can't.
Again, I am not sure what default allow rule you are talking about.
So, can all the devices on the LAN switch talk to each other no matter what you do with the opnsense firewall rules?
Sure - But you usually need services on the opnsense, and thus you need at least the default rule.
I know I am sounding like a broken record here, but again, WHAT default rule?
So, even though you can't keep 10 devices on a dumb lan switch from communicating with firewall rules on the LAN so that DNS is broken, DHCP is broken, etc etc.
So, just be sure to always allow every client access to all the services you need that run on the opnsense.
Reading your initial question, to me, it sounds like you just need a couple of simple rules applied to the lan firewall for one single IP. Doesn't need to be to complicated.
Okay, so I have explained that under Firewall: Rules (LAN tab) I made two rules:
An ALLOW rule with the source set to the machine alias, and the destination set to the mail server alias.
A DENY rule with the source set to the machine alias, and the destination set to any.
So you are saying I need another rule like this under the Firewall: Rules (LAN tab), perhaps one that looks like this?
Action: Pass
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source / Invert: (unchecked)
Source: The alias of the machine in question
Source port range: from: DNS to: DNS
Destination / Invert: (unchecked)
Destination: Single host or network: 192.168.1.1/32
Destination port range: from: DNS to: DNS
Nothing else changed except maybe adding a Description. Does that look correct?
The only other thing I am not sure about is under Advanced features there is a Gateway option, it is set to default. If I created this rule I wonder if that would cause a problem by trying to send the DNS requests to 192.168.1.1 out on the Internet (which would obviously fail). But none of the other options in that dropdown look right either.
-
Well, I wound up doing an end run around the email problem. Rather than fight with OPNsense to find a rule that would allow the outgoing email to pass, I remembered that one of this systems on my network is running exim4 just so it can send outbound mail. With only a couple of small changes to its configuration file, exim4 can act as an outgoing mail relay for other machines on the local network. So, I now have the blocked machine send email to the system running exim4, and it in turn passes it along to the ISP mail server. Works great.
Also realized that the blocked machine couldn't get to a timeserver despite the fact that it was pointed at the built-in timeserver in OPNsense, so I set up ntp on one of the local machines on the network; it gets the time from the router (and a fallback server) and then the blocked machine gets the time from it.
It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network. But sometimes it's just easier to work around the problem than to spend any more time trying to figure it out.
-
It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network.
The FW rule can and will ALWAYS restrict communication between ALL devices on the local network - if set so, of course - but only when that specific traffic passes through the FW; and since the switch in your network acts as a direct intermediator between those devices in the local network, and since the switch does not have any permit/ deny rules of itself, at FW level you cannot block traffic between devices in the same broadcast domain (aka local network): that traffic does not get to, and is not seen by, the FW.
Put it in other words, the same idea states that for a successful and full communication in the same network, between devices in the same broadcast domain, you don't even need a GW IP address (which most of the time is the FW IP address) being set on those devices, you only need to set, on every device, the IP addresses of that device and the correct SubNet Mask for that local network/ broadcast domain. Voila, it works, full and successful communication between any device and every device.
Hope it's clear now!
-
So the traffic is not blocked only because the switch is intercepting it and it's never getting to the router? That's interesting.
At this point the only outbound rule that I have added is this:
Action: Block
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4
Protocol: any
Source / Invert: (unchecked)
Source: The alias of the machine in question
(No advanced source settings used)
Destination / Invert: (unchecked) <----- Should be checked
Destination: Single host or network: any <----- Should be "LAN Net"
Destination port range: from: any to: any
(EDIT: For the benefit of anyone reading this thread at a later date, what should be changed is shown in bold above. See hutiucip's reply #32 in this thread for the explanation. End of edit.)
This effectively blocks everything but also blocks all traffic to the router itself. I think it is the Destination setting that has me confused, and of course that is the only one with no help available. Setting it to "any" may be wrong, and my first thought is that maybe "WAN net" or "WAN address" might have been the more correct choice, but I am not sure of that. My only choices there are "Single host or network", my various pre-defined aliases, and the following: "any", "This Firewall", "LAN Net", "LAN Address", "WAN Net", or "WAN Address". What I am not clear on is the distinction between "WAN Net" and "WAN Address". My original goal was to block ALL outbound traffic to the Internet except for traffic to a mail server, however I wasn't trying to block local traffic (to and from other machines on the local network) nor to the router itself.
(EDIT: For the benefit of anyone reading this thread at a later date, I will try to save you from having to wade through the rest of this thread to get an answer to this. If I am understanding correctly from the posts that follow this one, WAN Net is the network that the WAN port is connected to. It is NOT the Internet. As an example, if your home router running OPNsense is directly connected to a cable modem via the WAN port, then the only two devices on the WAN Net are your cable modem and your router. Typically the WAN Net will use addresses that are neither on the Internet nor part of your LAN. For example, your LAN may use addresses in the 192.168.1.x range, but your cable modem might be accessible as 192.168.10.1 - in that case 192.168.10.x would be your WAN Network, and for many home users the only things on the WAN Net would be the cable or DSL modem, and the router running OPNSense. As for WAN Address, that would be the address of the router running OPNSense as seen on the WAN port - for example if the cable modem is 192.168.10.1, it might assign an address of 192.168.10.2 to the router. In that case 192.168.10.2 would be the "WAN Address" and both 192.168.10.1 and 192.168.10.2 would be on the WAN Net, but neither of those (neither "WAN Net" nor "WAN Address") includes addresses on the Internet as a whole. Note that more complex configurations are possible; here I am only talking about the situation where the cable or DSL modem is connected directly to the router's WAN port via a single direct cable, as would be the case in many home installations. And again, this assumes that I have finally understood all this, which I do not guarantee. End of edit.)
Rather than try and guess what the correct setting should be, I just used the workarounds in my previous post. But it would be really helpful if there could be some help text for the Destination setting - those choices may seem obvious to experienced users but if it's not a choice that says "all Internet traffic" then it's not obvious to me, especially when there are two different WAN choices. Yes, I want to block all traffic to the WAN Net, but yes, I also want to block all traffic to all WAN addresses, so which do I choose? Using the "any" choice removes the ambiguity (and also assures me that nothing is leaking to the Internet), but has the unintended consequence that the devices cannot communicate with the local DNS or NTP servers in OPNsense.
-
Hey, c'mon!...
No offense, comet, but it's nobody's fault you are reading "any", and interpret "any, but not...". Also, I guess nobody could have thought "Well, maybe there will be a few people among millions that will have a different interpretation of 'any', so I should explain 'any' better!". :D (sorry for being ironical, but I couldn't help myself, the context is too funny :) ).
Regarding the difference between WAN net and WAN address, it's the same as for LAN net and LAN address: WAN net means the network segment/ broadcast domain corresponding to the WAN interface, ISP devices included - usually, your WAN GW only, since most ISPs offer a public IP address (that WAN address) in a /30 network range (that WAN net). But it is useful to have them that way for cases like, as an example, when the firewall is not the one and only firewall in the network, and maybe WAN on a particular firewall is on another internal network. It helps to isolate traffic for specific network devices to a specific internal network, or perimeter network, through WAN, and you want to cut the traffic at the internal (first/ closest) firewall level, and not loading all other network devices, only to be discarded at external (last/ most distant) firewall level - network load and flow optimization.
Yes, I want to block all traffic to the WAN Net, but yes, I also want to block all traffic to all WAN addresses, so which do I choose? Using the "any" choice removes the ambiguity (and also assures me that nothing is leaking to the Internet), but has the unintended consequence that the devices cannot communicate with the local DNS or NTP servers in OPNsense
You are trying to get something nobody has: a FW setup with one single rule to fit everything - for what you say, blocking everything, but not a specific proto/ port, you have the option of one permit rule for NTP (or DNS, or etc.), followed by one block rule, for any. And this is the approach the industry had for decades.
Hope it's clear now.
Cheers!
-
hutiucip,
Well, besides being insulting in your first paragraph, you might as well have saved yourself the trouble of typing that response, because you've totally lost me again. Your reply contains so much jargon that I don't understand a word of it.
No offense, but you obviously spend too much time around networking people and don't have the foggiest clue how to talk to a user that hasn't taken a college course in networking. If obfuscation was your goal, you have achieved it!
Really, I had ONE question - if "any" isn't the correct choice for the destination, then which would be better, out of all the possible choices (I would guess either WAN net or WAN address, but between those two I still have no idea which) - and you completely blew around that and went into a long technical explanation that made not a bit of sense to me. By the way I had used "any" in the first place because fabian had recommended that in his reply to me (Reply #1 in this thread); I didn't just pull it out of thin air.
Is OPNsense only supposed to be used by networking gurus, and not by people who just want a better router in their homes than what they can buy off the shelf? Sometimes, I wonder, given the effort some people seem to make to avoid posting clear answers to what should be simple questions.
If I sound ticked off, I am a little bit, given that you found my confusion so funny, and then apparently made an effort to post a reply that would only serve to 1) insult me and 2) confuse me more. It's not at all funny when you don't understand, even if the answer may be obvious to anyone else.
-
Hello,
I don't care about the topic at this point, but I care about the fact that comet seems to find himself / herself in heated discussions on multiple occasions. I wish this would have been more relaxed by now, but it is not.
For the sake of a friendly and motivating community I would like to ask everyone here to ponder about why they come here and ask for assistance, help people, learn something or if time is better spent elsewhere.
This cannot continue forever. :)
Cheers,
Franco
-
Opnsense has many options which require a certain level of networking competence. Not everyone will get it right away. Patience is probably more important than intelligence when dealing with solutions like opnsense, so just take what is offered and try to absorb. No one is trying to kick you in the teeth. Relax and ponder what is offered.
-
franco, I sent you a PM.
Basically, I have just one question at this point, if anyone cares enough to type a useful two-word answer: Should I have used something other than "any" (which is what franco had told me to use), specifically "WAN Net" or "WAN Address", as the destination, in order to block access to the Internet but still allow access to services in OPNsense? And if so, and this is the most important question, which of those two would be the better choice? This is a very simple setup, one WAN port that connects to a cable modem and one LAN port that connects to a switch. No additional WAN or LAN networks beyond that; I wouldn't know how.
Now, if someone can explain the difference between "WAN Net" and "WAN Address" without resorting to jargon or esoteric concepts that would fly right over my head, I would very much appreciate it, but really I just need to know which is the correct choice, "WAN Net" or "WAN Address".
It's like if I were asking someone how to fry an egg. I don't need to know the history of eggs, nor the different breeds of chickens, nor what type of chicken feed produces the best eggs. Nor do I need an explanation that involves using kitchen utensils I've never heard of before in my life. None of that would be the slightest bit helpful to me, and I'd probably walk away hungry.
I'd also ask people to remember that there was a time you didn't know any of this stuff either. You probably asked questions and learned from the answers, but only if the person explaining could do it at the level you were at. A child learning multiplication is not going to learn a thing from someone explaining calculus. And, you probably didn't learn much if someone tried to make you feel stupid for asking questions (I had an 8th grade algebra teacher that did that, and to this day I do not know algebra).
-
hutiucip,
Well, besides being insulting in your first paragraph,
- no, I didn't mean to insult you, as I have said, I only found it a bit funny and, in a friendly manner, and kindly apologizing right from the start, I meant to mock you a bit (again, in a friendly manner)! But definitely didn't mean to insult/ offend you. If you felt that way, I'm sorry! Truly and deeply! Thank in advance if you accept my apologies!
Is OPNsense only supposed to be used by networking gurus, and not by people who just want a better router in their homes than what they can buy off the shelf? Sometimes, I wonder, given the effort some people seem to make to avoid posting clear answers to what should be simple questions.
No! Sorry to disappoint you, but as I see it, better means more versatile, more flexible, with more options, with more features, and so on and so forth. And all these mores means a lot of intricate components that depend one on the other... And that's it!
You're questions are simple (at least some of them are), but it's true that here every answer, no matter how simple it is, is in itself the trigger for another (at least one) question from you. It is normal when you are trying to get into something else then an "of the shelf" router, as you yourself strengthen it, but, as somebody else did state it already, you too have to be patient and let it sink in, and fall in place after enough pieces revealed themselves.
If I sound ticked off, I am a little bit, given that you found my confusion so funny, and then apparently made an effort to post a reply that would only serve to 1) insult me and 2) confuse me more.
For 1) I claim again I didn't mean to insult you, and apologize again for that, and for 2), believe me, it shouldn't be confusing.
A man that I think about as being very wise once told me that, if one feels lost, disoriented, and doesn't know which direction is the right direction, it only means one lacks at least one single piece of information (and continued "no one is stupid, is either uninterested or uninformed/ misinformed"). It was in another context, but I deeply feel it fits here perfectly, so please, don't take it personal!
It's not at all funny when you don't understand, even if the answer may be obvious to anyone else.
I deeply agree! Found myself, and not only once, in the same position! Every time I made the decision to not miss again the info required for understanding.
Cheers and good luck!
-
hutiucip,
Thank you for your apology, which I accept. Just for future reference, mocking people is probably not a good way to avoid offending them, even if you intend it to be funny.
Sadly, you have still chosen not to answer my clear question, and instead you tell me that I am just missing information. Which is probably true, but I guess I am never going to have that information if no one can explain this in a clear and easy to understand manner. At this point I'm not sure if people are deliberately trying to make it difficult, are just incapable of giving a clear and simple answer to a direct question, or if there is something else going on here, but if this is what happens when a new user asks a question then you probably won't be seeing too many of them (new users OR questions).
I give up on trying to understand OPNsense; it is running well enough as a basic router and that is really all I need. This reminds me of the early days of Linux. OPNsense could be like Ubuntu and try to make a distribution that real people (non-nerds) can use, or they could be like Slackware (one of the most difficult distributions to use). Right now I would say OPNsense is somewhere in the middle (the GUI is pretty good but the help text could be a lot better). But, I just want to use the software, not devote the rest of my life trying to figure out advanced networking in order to just to use it in my home. I don't always give up on something this easily, but you guys are so far over my head I have no idea what you are talking about most of the time.
Sorry to have bothered you.
-
Comet!... Hello!... It's me again!... :)
I'll try to reply helpfully, I'll try to reply as plain and simple I can. So, here we (try to) go:
franco, I sent you a PM.
Basically, I have just one question at this point, if anyone cares enough to type a useful two-word answer: Should I have used something other than "any" (which is what franco had told me to use), specifically "WAN Net" or "WAN Address", as the destination, in order to block access to the Internet but still allow access to services in OPNsense? And if so, and this is the most important question, which of those two would be the better choice? This is a very simple setup, one WAN port that connects to a cable modem and one LAN port that connects to a switch. No additional WAN or LAN networks beyond that; I wouldn't know how.
On the LAN interface in FW place on the very top a "block" rule from surce being the IP address 192.168.1.X/32, to destination !LAN net (the exclamation mark means that you check "destination / invert", so that you invert the sense of match). This way, any request made from that IP address (the source) to any destination which is NOT something in the LAN IP address range, will be blocked. Other source IP adresses (aka hosts, devices) from LAN will not be blocked by that rule simply because their IP address is not a match for the source in the FW rule. And, of course, your FW and its services, like NTP, DNS, DHCP etc., will be reachable even for that particular device, with that particular IP address set as source in that FW rule.
Now, if someone can explain the difference between "WAN Net" and "WAN Address" without resorting to jargon or esoteric concepts that would fly right over my head, I would very much appreciate it, but really I just need to know which is the correct choice, "WAN Net" or "WAN Address".
As you maybe have deduced already from the first answer, upon, NEITHER of WAN net and WAN address is the correct choice for what you want to accomplish.
Regarding the difference between them, try to understand the concept:
WAN net is the network space - or IP range - in which the WAN IP address of your router resides, but it's not the whole internet. This is commonly established by your ISP, it is out of your control, if and only if your FW is directly connected to the internet on the WAN interface. Since I remember you said before that your FW's WAN interface is connected directly to a modem, the WAN net is your FW's WAN IP and / + the modem's LAN IP (yes, for your modem your FW is on the LAN side, and for your FW the modem is on the WAN side). The WAN net of the modem, for example, is the modem's WAN IP and / + the IP of the ISP's router connected to the WAN interface of the modem. And so on, and so forth.
WAN net is for WAN interface, and from the WAN interface point of view, all IP addresses reachable directly, without the need for a single router as a GW. This is why I said before that WAN net is similar to LAN net, and WAN address is similar to LAN address: for both nets you don't need more than an unmanaged switch, or a direct connection, in order to fully reach any IP address in that net.
It's like if I were asking someone how to fry an egg. I don't need to know the history of eggs, nor the different breeds of chickens, nor what type of chicken feed produces the best eggs. Nor do I need an explanation that involves using kitchen utensils I've never heard of before in my life. None of that would be the slightest bit helpful to me, and I'd probably walk away hungry.
Sorry, bro, but when you ask me how to fry an egg and you realize that my answer makes you walk away hungry, it's not because my answer makes the history of egg, but because my answer states that those matches you are trying to light up the fire with are, in fact, not matches but a lens, and you shouldn't rub the thing, as you thought, you should fine tune and fine position the thing on a precise direction.
I'd also ask people to remember that there was a time you didn't know any of this stuff either. You probably asked questions and learned from the answers, but only if the person explaining could do it at the level you were at.
You are perfectly right, dear friend, there was a time when I knew exactly nothing about, and in that time I was looking for answers to my questions, and I learned only if the person giving the answers put those answers right at my level of understanding, and structured them in an hierarchical manner based on levels of complexity.
But I usually called that person a professor, an educator, a mentor, a consultant, and I usually payed that son-of-a... person a price for that effort, because consultancy is not an easy profession, accomplished in a blink of an eye. Or else, without the payment, I wouldn't have had any particular expectations and particular demands from any person, but only gratitude and recognition of their efforts to be helpful, even if those efforts were not quite effective, and not quite what I exactly, in particular, needed.
So, take that time you spend in endless vivid/ heated discussions around here and do some self study by yourself. I stand by the opinion that nobody is stupid, but anyone could be uninterested or not (yet) informed. Inform yourself, please!
A child learning multiplication is not going to learn a thing from someone explaining calculus. And, you probably didn't learn much if someone tried to make you feel stupid for asking questions (I had an 8th grade algebra teacher that did that, and to this day I do not know algebra).
You are not interested in algebra, as simply as it sounds. And it's nobody's duty to rise the interest for something, for anything, in you! If you need it, you learn it, if you don't, you don't. I have to admit, the solution of least resistance drives all living beings.
And I'm over and out from this topic: because maybe I offended you, unintentionally as I said, but also maybe you don't realize how much and how much more than me, you offend each and every person that wrote even a few words in a reply to your post, by stating all the ideas like trying to be over your head, and fried eggs still making you to run hungry... etc etc etc. This, the following, for example, is one of yours best of:
I'm beginning to think no one really understands OPNsense, and we are all just guessing and making it up as we go along?
Too bad, to sad! :(
Sorry for everything, I shouldn't have tried to be helpful in the first place: the guilt of you not knowing, later as well as before, ended up as being mine. :(
-
On the LAN interface in FW place on the very top a "block" rule from surce being the IP address 192.168.1.X/32, to destination !LAN net (the exclamation mark means that you check "destination / invert", so that you invert the sense of match). This way, any request made from that IP address (the source) to any destination which is NOT something in the LAN IP address range, will be blocked. Other source IP adresses (aka hosts, devices) from LAN will not be blocked by that rule simply because their IP address is not a match for the source in the FW rule. And, of course, your FW and its services, like NTP, DNS, DHCP etc., will be reachable even for that particular device, with that particular IP address set as source in that FW rule.
THANK YOU!!! Had you replied with that in the first place, it would have saved a lot of hard feelings and needless typing! I do appreciate that you finally answered the question, really. THIS reply makes sense to me.
As you maybe have deduced already from the first answer, upon, NEITHER of WAN net and WAN address is the correct choice for what you want to accomplish.
Regarding the difference between them, try to understand the concept:
WAN net is the network space - or IP range - in which the WAN IP address of your router resides, but it's not the whole internet. This is commonly established by your ISP, it is out of your control, if and only if your FW is directly connected to the internet on the WAN interface. Since I remember you said before that your FW's WAN interface is connected directly to a modem, the WAN net is your FW's WAN IP and / + the modem's WAN IP. The WAN net of the modem, for example, is the modem's WAN IP and / + the IP of the ISP's router connected to the WAN interface of the modem. And so on, and so forth.
Okay, I think I understand this. You are basically saying the WAN Net is the private local network connecting the cable modem (in this case) to the router's WAN port, and in most cases there will only be two addresses on that network, that of the cable modem and that of the router's WAN port. Put another way, my cable modem has an IP address that's not part of my LAN, but it's also not a public Internet address - it's on its own little network (along with the router's WAN port), and THAT is what OPNsense calls the WAN Net. So far that makes sense, but it's not something I would consider obvious, especially for people coming from an off-the-shelf router.
WAN net is for WAN interface, and from the WAN interface point of view, all IP addresses reachable directly, without the need for a single router as a GW.
See, it's when you throw in things like this that you confuse me. Mentioning "all IP addresses reachable directly, without the need for a single router as a GW" just makes me wonder what you are talking about. Maybe there are situations where the WAN net would have more than two devices on it (the cable or DSL modem, and the device running OPNsense) but for a home user that's a very atypical situation.
This is why I said before that WAN net is similar to LAN net, and WAN address is similar to LAN address: for both nets you don't need more than an unmanaged switch, or a direct connection, in order to fully reach any IP address in that net.
And again, the reason something like that would be confusing to me is because I cannot conceive of a situation where you'd run an unmanaged switch (by "unmanaged" I assume you mean plain old dumb switch, like you'd use in a typical home environment) off the cable modem. Maybe there is a reason someone might do that, but it's not common, at least not in a home (I am not talking about the case of a cable modem that has a built-in router; mine doesn't, and that's a whole other can of worms).
I really do struggle with this stuff and have a hard time understanding. You've finally explained it in a way that I understand (I think) and I am grateful for that. I just wish we could have got here a lot sooner. I won't address the remainder of your post because you've said a few things that I could maybe argue about, but that would be pointless and not helpful to anyone, and I'd rather leave this on a positive note. So thank you again.
-
OK, glad you're really catching up! Honestly, you really seem to understand what I have said, giving your paraphrases and explanations using other words, but keeping the idea. Congrats, honestly!
Had you replied with that in the first place, it would have saved a lot of hard feelings and needless typing!
Roll back the conversation, and you'll realize too that many answers considered not needed and frustrating etc helped you have that "everything falls in place", that "aha" moment you just had! Only one example for this:
It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network.
followed by
So the traffic is not blocked only because the switch is intercepting it and it's never getting to the router? That's interesting.
(still inexact, but close enough: the switch never intercepts traffic, the switch only knows which of its ports is connected to any particular IP address, and sends the communication destined to that IP address only through that corresponding physical port, meaning it's not sent to the router/ FW instead - for the switch every device in the network is exactly the same as any other device, the switch knows and cares about only IP addresses.) after giving you the "unnecessary" explanation - unnecessary = the type not welcomed by you, the type considered already known, since basic, by me.)
And now, only to show you why I (or anybody else) didn't came with this answer in the first place, and a lot sooner, I dare to remind you that most of us tried to point you to a direction of using different subnets/ interfaces (at the moment it wasn't quite clear what you need), and for me, as for others, it was OK, seemed to be the right direction. The answer being given, no need to redundantly write again. Further questions from you, most of them requiring further explanations, forked the discussion even more.
Many replies have been already posted, discussion forked in several directions, when finally me, and somebody else, told you to try to use a different VLAN on your switch if it's a manageable one, or another mere mortal switch (unmanaged) for that interface on FW. Maybe now you understand why: at the time, for all of us it appeared that you want to restrict something even in the LAN vicinity for that host, not only the internet access, and - and this is a very big "AND" - the idea that the switch will make the internal LAN traffic avoid the FW being so basic, so ABC, so axiomatic if I can say so, made us being so convinced that you should be aware of that, and even if you are not, a simple hint like "use VLANs, or different switches and different interfaces" should remind you that internal traffic in a NET never reaches the GW (in this case, your OPNsense) if the destination is not the GW itself.
See, it's when you throw in things like this that you confuse me. Mentioning "all IP addresses reachable directly, without the need for a single router as a GW" just makes me wonder what you are talking about. Maybe there are situations where the WAN net would have more than two devices on it (the cable or DSL modem, and the device running OPNsense) but for a home user that's a very atypical situation.
A very atypical situation is when there are only two devices in one network and only one network in between those two devices. If you have only two devices, in only one network, and especially if that network is an intermediate network - meaning, is a middle part in at least a route, like your FW <-> modem network - then when any of the two devices fails causes a complete failure in routing through that single point of failure type network. In a Fail-Over, High-Availability topology, where a plan B should exist from the beginning, this is not allowed, let alone typical or not. Further on we, or at least I, can't figure out of the thin air the level of knowledge somebody has, and the strong instinct is to assume that the level of knowledge of those interested in FWs like OPNsense is at least intermediate, not about OPNsense, of course, but about networking, and TCP/IP, and switching and routing... So that the atypical needs no explanations.
It shouldn't be a problem if somebody is not at least an intermediate, but your opening statement, that you are new to OPNsense (and not new to networking), implied that you are looking for help to implement some general and known networking staff using the particular and unknown means of OPNsense.
Cheers!
-
What, exactly, was the point of that post? You couldn't get enough of a rise out of me with your provocative statements in your previous post, so you decided to poke the bear again? And that despite the fact that I have marked the thread as solved, and am ready to move on?
There was a lot in that post that I didn't understand, but I suppose that was deliberate on your part. But no matter, because I am so done with this.
Believe me when I say that I will have to be pretty desperate to ever attempt to ask another question in this forum. I have participated in many forums over the years, going all the back to the days of dial-up BBS's, and I have to say that very few forums have been as unfriendly to new users as this one seems to be.
-
I really don't get why you are upset, comet. People will post and not necessarily stop and you do the same. People state their opinion and their views not to annoy, but to share and learn. If that's not interesting enough at some point somebody will have to stop adding to a thread that is marked [SOLVED] and it might as well be you. ;)
-
People state their opinion and their views not to annoy, but to share and learn.
If you can read that post that I was replying to and honestly believe he was not deliberately trying to annoy, then that's a big part of the problem with this forum.
Since I apparently have to spell it out, the reason it's annoying is because by now he definitely knows that I know next to nothing about networking, and that furthermore I don't really want to get into the more esoteric aspects of it. It is not one of my goals in life to become a networking guru; I'm really just trying to run a home network, and by now he knows that. And yet he insists on giving these long and rambling explanations that he knows full well I will not understand, AND he seems to think I should be grateful that he is dumping all this knowledge on me. Or something like that.
If you only want people well-versed in networking to use OPNsense, and not plain old users that just want to know enough to make the software work in a functional manner, then maybe you should just come right out and say that, because that's definitely the vibe I am getting. I have already figured out that there are certain advanced features in OPNsense that I will never understand, and that's fine, and I'm not asking about those. But when you have to ask questions to even make basic functionality work, and then no one can explain how those work in a clear and concise manner, that indicates a failure in the documentation at the very least. And by the way, while on that subject, no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it. Even something as simple as that is apparently not documented (same is true of LAN Address). And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented AND that certain people in this forum seem to assume that you're thick in the head if you don't already know this stuff. And then if you ask, you get some long, rambling reply that you couldn't understand if your life depended on it, along with maybe an insult or two to boot. And as the moderator, you see nothing wrong with that type of reply, but if the person on the receiving end shows annoyance, you are right there to express your displeasure.
Part of the reason I rephrased some of what was posted when I finally "got it" about what I was doing wrong was an effort to show how to phrase things if you are trying to explain them to normal people. I am not the best writer in the world, but if I understand how to do something and I am trying to explain it to someone else, I TRY to make that explanation as clear as possible, and to write at their level, and to answer the question they asked and not answer the question I think they should have asked. I almost made a snarky comment to the effect that "this is how you should learn to write" but since I don't think my writing skills are all that great, and since I was trying not to raise the temperature of this thread any higher at the time, I thought better of it.
As this point I feel VERY unwelcome here and while I know a couple of people will be quick to say it's my own doing, all I will say is that I have participated in many forums over the years, on many different topics, and I can only think of maybe a two or three others where I have been this annoyed by the responses I have received to simple questions, and I am just not the type to quietly let people crap all over me. And therefore I should just stop posting as you suggested, and I intend to, and while I have a great urge to say "I will never post in this forum again!", my fear is that after having put all this effort into getting OPNsense to work, they day may come that something might stop working and then I will be forced to try to find out why. So I am not going to say that, but from now on I am going to avoid posting anything in this forum unless I feel it is an absolute necessity.
The only other thing I will say, which is something I said to you in my PM, is that you really ought to consider making a new board on here specifically for people who are new to programs like OPNsense and who know little or nothing about networking in general, so at least there would be a spot where new users could ask questions and the regulars would not assume that if they are trying to use OPNsense, they must have some advanced networking knowledge. Unless I am right in thinking maybe that is a type of user you really don't want in the first place.
So for now, goodbye, and thank you to those who did post helpful responses. This will be my last post in this thread, and quite possibly on this forum.
-
Personally, I find the people here at opnsense mostly very helpful.
They post. I try to understand. Sometimes, I even succeed.
Also, they haven't banned me yet, so how bad can they be?
-
Also, they haven't banned me yet, so how bad can they be?
People are banned for spam and very poor behaviour (for example permanently insulting people, posting illegal or inappropriate content etc.).
Until now I am not aware of anyone being banned from the forum because of lacking networking knowledge. This forum has users from beginners to networking professionals and this is visible in how the posts of those users are written.
For this reason, an answer from a professional might be not understandable for a beginner, but this does not mean that the answer is incorrect or useless. There might be someone with a similar problem, who finds the thread via a search engine and can solve his issue immediately with this answer. Please note that nobody here knows what the author of a question knows about networking.
-
I'm quoting this and top posting, emphasising on the fact that I'm not going to read your long response that has nothing to do with your original questions. I can do better things with that time, maybe you could have done that, too?
I also agree with Fabian. We talk... if there is miscommunication due to understanding gaps, language or else that's not a problem as long as we're willing to work towards a common base, repeat answers, break them down or otherwise approach the answer in a way that is better understandable.
That's the real work that's worth the time reading and posting here, not this...
People state their opinion and their views not to annoy, but to share and learn.
If you can read that post that I was replying to and honestly believe he was not deliberately trying to annoy, then that's a big part of the problem with this forum.
Since I apparently have to spell it out, the reason it's annoying is because by now he definitely knows that I know next to nothing about networking, and that furthermore I don't really want to get into the more esoteric aspects of it. It is not one of my goals in life to become a networking guru; I'm really just trying to run a home network, and by now he knows that. And yet he insists on giving these long and rambling explanations that he knows full well I will not understand, AND he seems to think I should be grateful that he is dumping all this knowledge on me. Or something like that.
If you only want people well-versed in networking to use OPNsense, and not plain old users that just want to know enough to make the software work in a functional manner, then maybe you should just come right out and say that, because that's definitely the vibe I am getting. I have already figured out that there are certain advanced features in OPNsense that I will never understand, and that's fine, and I'm not asking about those. But when you have to ask questions to even make basic functionality work, and then no one can explain how those work in a clear and concise manner, that indicates a failure in the documentation at the very least. And by the way, while on that subject, no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it. Even something as simple as that is apparently not documented (same is true of LAN Address). And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented AND that certain people in this forum seem to assume that you're thick in the head if you don't already know this stuff. And then if you ask, you get some long, rambling reply that you couldn't understand if your life depended on it, along with maybe an insult or two to boot. And as the moderator, you see nothing wrong with that type of reply, but if the person on the receiving end shows annoyance, you are right there to express your displeasure.
Part of the reason I rephrased some of what was posted when I finally "got it" about what I was doing wrong was an effort to show how to phrase things if you are trying to explain them to normal people. I am not the best writer in the world, but if I understand how to do something and I am trying to explain it to someone else, I TRY to make that explanation as clear as possible, and to write at their level, and to answer the question they asked and not answer the question I think they should have asked. I almost made a snarky comment to the effect that "this is how you should learn to write" but since I don't think my writing skills are all that great, and since I was trying not to raise the temperature of this thread any higher at the time, I thought better of it.
As this point I feel VERY unwelcome here and while I know a couple of people will be quick to say it's my own doing, all I will say is that I have participated in many forums over the years, on many different topics, and I can only think of maybe a two or three others where I have been this annoyed by the responses I have received to simple questions, and I am just not the type to quietly let people crap all over me. And therefore I should just stop posting as you suggested, and I intend to, and while I have a great urge to say "I will never post in this forum again!", my fear is that after having put all this effort into getting OPNsense to work, they day may come that something might stop working and then I will be forced to try to find out why. So I am not going to say that, but from now on I am going to avoid posting anything in this forum unless I feel it is an absolute necessity.
The only other thing I will say, which is something I said to you in my PM, is that you really ought to consider making a new board on here specifically for people who are new to programs like OPNsense and who know little or nothing about networking in general, so at least there would be a spot where new users could ask questions and the regulars would not assume that if they are trying to use OPNsense, they must have some advanced networking knowledge. Unless I am right in thinking maybe that is a type of user you really don't want in the first place.
So for now, goodbye, and thank you to those who did post helpful responses. This will be my last post in this thread, and quite possibly on this forum.
-
no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it
WAN address is the IP address you have on your WAN interface! :)
Remember, ”WAN” is the name of (one of) the FW's interface(s). You could name that interface Nebuchadnezzar, for example, and then, in FW rules' drop-downs you would have seen Nebuchadnezzar NET and Nebuchadnezzar address. Wouldn't know to explain it better than this, sorry. There are two default interfaces the initial set-up comes with, one for internal (aka protected and NAT-ed) network, and one being connected to the internet (directly or indirectly; to the ISP directly or, respectively, indirectly to a modem - your case). For easiness of things and as a hint contained in the name, those two initial interfaces are not named INT1 and INT2 (or Nebuchadnezzar, so you will not going to see in the FW rules' drop-downs confusing expressions like "INT1 address" or "Nebuchadnezzar net").
Further, it is possible to add more interfaces in OPNsense, and at the adding time they will be created with names like OPT1, OPT2, ..., OPT7 and so on, names you are free to easily change to something more meaningful, like Wi-Fi, Perimeter etc. But since a FW, any FW, in its simplest setup and purpose, will definitely stay between at least 2 networks, one being a (protected) LAN and the other being (to) the internet, the first 2 interfaces are named not INT1, INT2, but LAN, WAN.
So, for the final time, LAN address is the IP address set on the LAN interface, usually and by default being 192.168.1.1/24. LAN net is the network space of LAN interface, usually and by default being 192.168.1.0/24. The same goes for WAN net and WAN address, but since those are usually obtained from an ISP, as a dedicated fixed public IP address (and the corresponding network) or automatically through DHCP, form ISP or another device (e.g. your modem), I wouldn't be able to say that usually the WAN address and net are by default X.X.X.X/Y. If you wanna see exactly what value each one has, you have to check the status of your FW's WAN interface.
Hope it's clear now, or I rest my case anyway, since I wouldn't and couldn't explain it better.
Even something as simple as that is apparently not documented (same is true of LAN Address). And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented
I don't have the time now to point you to every place in the documentation where this matter is very well discussed (medical emergencies), I only mention the most important chapter in the official documentation, the chapter named "Initial Installation & Configuration", defaults being mentioned right at "https://docs.opnsense.org/manual/install.html#initial-configuration". Please be aware of the fact that, because of the reasons invoked upon for WAN net & address, there is nothing as a default for WAN address
The only default for WAN is the DHCP as the way of establishing both the WAN address and the WAN net -> too many possibilities, so no default values.
Cheers and good luck!