OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: gladston3 on July 17, 2018, 06:03:35 pm

Title: Block all but allow WAN/internet access
Post by: gladston3 on July 17, 2018, 06:03:35 pm
Hi,

I have multiple LAN/opt ports and would like to keep them isolated from each other but allow WAN/internet access on all of them. So my plan was to create a block all rule for each LAN/opt port and put a rule above which allows the WAN/internet traffic. Unfortunately I was unable to create such a rule. It didn't matter what I tried I wasn't able to access the internet. Can anyone please guide me or give me a hint how to do that?

I know that I could make a allow all rule and put the block rules for each subnet above that, but that becomes quite unhandy when you have multiple ports/networks. So I want to avoid that approach.

Thank you very much in advance
Cheers
-gladston3
Title: Re: Block all but allow WAN/internet access
Post by: JasMan on July 17, 2018, 09:37:00 pm
Hey gladston3,

There's no need for an "block all" rule to block traffic between the LAN ports. The default blocking rule of the firewall will block the traffic between your different subnets if is not explicit allowed by an rule.

To access the Internet you need to configure NAT for each subnet first.

Then you will need some allow rules for each service and subnet you would like to allow.
You can use floating rule to create one rule e.g. for HTTP(S) to WAN for all your LAN interfaces.
Choose the WAN gateway to allow this traffic only for WAN. Otherwise it will also allow HTTP(S) between your subnets.

Don't forget to allow also DNS for the clients. If your OPNsense is your DNS server, allow DNS to the firewall. Otherwise allow DNS to the Internet or only to one server e.g. 8.8.8.8.

Jas
 
Title: Re: Block all but allow WAN/internet access
Post by: gladston3 on July 17, 2018, 10:27:17 pm
Hi, thanks for your answer!

Hey gladston3,

There's no need for an "block all" rule to block traffic between the LAN ports. The default blocking rule of the firewall will block the traffic between your different subnets if is not explicit allowed by an rule.

okay, understood.

To access the Internet you need to configure NAT for each subnet first.

Do you mean outbound NAT rules? Those are set automatically in the default settings, aren't they?

Then you will need some allow rules for each service and subnet you would like to allow.
You can use floating rule to create one rule e.g. for HTTP(S) to WAN for all your LAN interfaces.
Choose the WAN gateway to allow this traffic only for WAN. Otherwise it will also allow HTTP(S) between your subnets.

That's where I am struggeling. What do I have to put at "destination" so WAN traffic is allowed? The only option with which I got it working was "any" and that's definitely not what I want. Can you maybe show me a sample rule for HTTPS or any other service?

Thanks once again
Cheers
-gladston3
 


Title: Re: Block all but allow WAN/internet access
Post by: JasMan on July 18, 2018, 07:25:35 am
Do you mean outbound NAT rules? Those are set automatically in the default settings, aren't they?

Yes, you're right. In standard OPNsense generate those rules by itself. I missed this point because I've set it to "manual" to have full control over the settings. But I'm not sure how the standard NAT is working. I mean, how recognize the OPNsense which adatper is WAN and which LAN and where he has to do NAT? Maybe you should check if OPNsense has created the necessary rules.

That's where I am struggeling. What do I have to put at "destination" so WAN traffic is allowed? The only option with which I got it working was "any" and that's definitely not what I want. Can you maybe show me a sample rule for HTTPS or any other service?

There's no firewall object for Internet hosts. But you can create an alias with all privat networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), add it as destination in your rule and invert it. That's how I did it. Works fine.
Title: Re: Block all but allow WAN/internet access
Post by: gladston3 on July 18, 2018, 09:49:46 am
There's no firewall object for Internet hosts. But you can create an alias with all privat networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), add it as destination in your rule and invert it. That's how I did it. Works fine.

Ahh, that's what I was looking for. Brilliant idea which I would have never figured out by myself ;) since it's a little bit complicated/counterintuitive imho.

Nevertheless, thanks a lot! That did the trick :)

Cheers
-gladston3