OPNsense Forum

English Forums => General Discussion => Topic started by: thewolf56 on August 10, 2018, 07:30:42 pm

Title: Question on Firewall Rules
Post by: thewolf56 on August 10, 2018, 07:30:42 pm

Hello,

I am trying to setup my security cameras (only one is connected to the network while I figure this out) with 3 goals:

• The individual camera can email me if there is an alert (I have a separate email that is used only for this purpose)
• The individual camera cannot be reached by the internet (all remote viewing will be done through OpenVPN)
• The individual camera cannot reach the internet (so that they cannot be used as part of a botnet in the case that they ever become infected)

First, I created an alias for my security cameras and added the static IP I had setup for the camera (so I can just add IPs here as I add more cameras to the network).

I setup 3 rules in OPNsense

• Rule 1 - Action - Block, Interface - WAN, Protocol - any, Destination - security_cameras, destination port range - any (goal is to keep anything from the internet from reaching the camera)
• Rule 2 - Action - Pass, Interface - LAN, Protocol - TCP, Source - security_cameras, Destination - any, Destination Port Range - from 587 to 587 (port needed for smtp.gmail.com with TLS on camera), (goal is to allow the cameras to contact the smtp server)
• Rule 3 - Action - Block, Interface - LAN, Protocol - any, Source - security_cameras, Destination - any, Destination Port Range - any (goal is to block the cameras from reaching the internet)

Rule 1 is on the WAN rules page and Rules 2 and 3 are on the on LAN rules page.  Rule 2 is higher on the list than Rule 3, so I thought that should take precedence.

If I have all 3 rules enabled, using the cameras test email setting, the email fails to send. 
If I have Rule 1 and Rule 2 enabled, and Rule 3 enabled, the camera test email will send.

I plan on using the same types of rules to block other items from the internet as much as possible as I add them back to the network, so if I could just get the basics down using this one example, I think I can move forward from there.  I was able to use aliases and WAN rules to get my Xbox ONE from a strict NAT to a moderate NAT using one of the threads on this forum.  With a little bit more research, I was able to get that NAT from moderate to open.

I'm hoping someone with more networking experience can help me out with this and help guide me on this.

Thank you.

Title: Re: Question on Firewall Rules
Post by: thewolf56 on August 11, 2018, 02:02:59 am

Okay, I really don't understand this.

I took screenshots of the 3 rules I had created, then deleted the 3 rules and alias.

I re-created the alias and recreated the 3 rules and placed them exactly in the same place as I had them in the rules list prior to deleting them. 

I disabled Rule 2 and tried to send a test email from the camera while simultaneous watching the live log (filtered for that camera's IP) and saw the firewall block the attempt at port 587, as expected.  I then re-enabled Rule 2 and sent another test email and I could watch the firewall log pass that packet as I had hoped for Rule 2 in green.  I then saw my Rule 3 block a few attempts at port 53 at my LAN address, so I know that the firewall rules are working now.  I'm still not sure why they work now when they didn't before.

Title: Re: Question on Firewall Rules
Post by: samsonmcnulty on August 11, 2018, 09:18:18 am

Did you reboot after you finalized your initial rule entries? And did you then reboot before or after adding them the second time around? It sounds like you either needed a reboot or you set something incorrectly the first time around.