Messages

1

General Discussion / Re: Blocking incoming traffic at the LAN/OPT level instead of the WAN

« on: April 06, 2018, 02:09:02 pm »

Not that I'm aware of.

Interface rules are only applied to ingress traffic on the interface.
Floating rules can be configured as ingress and/or egress.

WAN ingress traffic is egress on the interface it is routed to.
To evaluate traffic at the routed to interface a floating egress rule would be needed.

In most cases it is typically better to leave everything blocked at the WAN and only open/NAT the things that are needed.  Allowing the WAN to be wide open puts the router at higher risk of compromise.  Don't think you'll find this to be a very common practice for an internet facing WAN.  Certainly not a BKM.  It may seem like more work, but think a compromised router would end up being far more work and impact.

The thing is, it's NOT an internet facing WAN. This is deeply internal and the firewall sits mostly at the center of the network. It's purpose mostly is for permitting access between various VLANs on a per need basis and further allowing in external internet IPs that have already been cleared by the edge.

I understand everyone's concern about security at the WAN level, but I cannot stress enough that this is not a problem based on the location of this firewall.

I guess conceptually what I'm needing is some sort of zoning. Like, WAN says "ok, this is good. Pass to the next zone for evaluation." Next "zone" being the destined VLAN.

2

General Discussion / Re: Blocking incoming traffic at the LAN/OPT level instead of the WAN

« on: April 05, 2018, 05:36:38 pm »

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

Nope.  That's not how it works.  Interface firewall rules are applied on ingress.  Traffic route to VLAN is egress.  So VLAN interface rules will not be applied.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.

With floating rules.  They can be configured for ingress and/or egress.

I know you didn't query for opinions.  But I'm with elektroninside.  Traffic is typically best block earliest possible.

So if I'm to understand you correctly, there's no way of evaluating the VLAN rules on ingress if the traffic originated from the WAN?

3

General Discussion / Blocking incoming traffic at the LAN/OPT level instead of the WAN

« on: April 05, 2018, 01:58:48 am »

Hello everyone. I'm pretty new to opnsense, so hopefully this isn't a dumb question. But I'll try to run through my setup.

I have 2 physical NIC on which 1 is the WAN and the other has multiple VLANs. My problem is that apparently I don't know how to set up WAN to properly pass through traffic to the VLANs. For example, let's say I want to block ICMP on VLAN 5.

I can block it at the WAN and it's fine, but I don't want a massive list of incoming rules for all my VLANs on the WAN. I'd rather handle it at the VLAN level.

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.