Messages

I have configured OpenDNS properly on my OpnSense router.  When I do a test from the OpenDNS settings, I got a good confirmation.  Under general settings, I have the OpenDNS IPs listed for DNS Servers.  I have nothing listed for DNS under my DHCP settings for the LAN.

OpenDNS still isnt working when I try a test to their welcome page or the internetbadguys link.

I have some statically assigned devices on my LAN with the OpenDNS IPs entered manually that work fine with OpenDNS, but anything getting a DHCP address, or anything set with statically with DNS set to the router IP dont work with OpenDNS.

Am I missing something to get this working?

Thanks

Sometimes I need beat over the head before something sinks in....lol

I got it now.....its doing what it should as well.

Thanks again very much for the assistance.....and repeating yourself to help beat it into me!!

TLDR - Are you saying I need to put a block rule on the parent LAN interface and then individual allow rules for each VLAN on the parent interface?  Then I can use the individual VLAN rules from there?

I'm not sure what I am missing here, but what you are saying needs done is what I have done.

For one of my VLANs (the one I have used in my previous posts), I have removed the allow all IN and allow all OUT rules (see attached).  I havent touched the LAN interface rules and havent in past.  All of my VLANs are created off of that parent LAN interface.  I had these rules setup for a while and at no point did I ever have anything in my VLAN rules blocking the LAN interface itself.  I had rules to only allow certain other IP addresses to access machines in my VLAN.  But now, as you can see in the attachment, there are NO rules for that VLAN and it states all incoming connections on this interface will be blocked.  Yet I can still access machines on that VLAN from machines on another VLAN....

Also, if I wanted to block all other VLAN traffic from accessing this VLAN, but I still wanted to allow this VLAN to get out to the internet, blocking the LAN interface would prevent that.

I think where my confusion comes in is that for about 20 months I had these rules setup ONLY in the individual VLANs and nothing on the parent LAN interface itself and things were working fine.  Then it just stopped.  If I am allowing all traffic into the LAN interface, wouldnt the individual VLAN rules then decide if that traffic can access those interfaces?


You mentioned creating an IN rule on the interfaces I want to block traffic from.  I disabled the IN and OUT rules for this one VLAN.   Since OpnSense says traffic is blocked unless specified, shouldnt that block anything getting in or out of that VLAN?  Yes, the allow all rule is still on the LAN interface itself, but the rules are applied to the VLAN (which again is one of several VLANs created off that same LAN interface)

Reading the documentation again, but I just dont understand why what I had setup and working no longer does!!

Thanks for being patient and responding with informaiton, I do appreciate it.

Well, like with the LAN rules, you would use the VLAN rules to regulate traffic coming from VLAN net

Thats where my rules are....in each VLAN.

There are several VLANs setup that are all coming from the same LAN interface.  The VLAN rules are there for each VLAN.  I've even disabled the allow all in and allow all out for one of them as a test.  But I can still access machines in that VLAN from a machine in a different VLAN.  Same goes for the other VLANs, everything can access everything even though I have specific rules set for each VLAN.  The fact that I disabled the allow all in and out from the one VLAN should mean nothing can get to those machines, yet I still can.

The LAN that the VLANs are created from has the allow all rule from the attachment in an earlier post.  But that has been that way for a long time.  Its just all of the sudden the firewall rules arent doing anything, whether enabled or disabled.

Forgive my ignorance here, but what is the point of having individual VLAN rules to decide what is and isnt allowed in / out if you just block things from the LAN rule?  The VLANs are all created off the LAN NIC.

OK,

If I disable that nothing would be able to get out, even if I have it allowed from the VLANs correct?

So what are my options

This is the rule I am talking about (attached)

If that is disabled or not allowed, nothing coming from that NIC would get out.  If that is the case, what is the point of the VLANs?  This was working fine for a long time the way I had it setup.  I never touched the LAN rule and made all the firewall rules from the VLAN Interfaces. 

Are you saying the default allow LAN rule trumps all the rules you set in individual VLANs? 

That doesnt seem right.

I had these rules set in each VLAN previously and they were working.  I didnt allow anything in or out of my retro VLAN so the machines could only talk to each other.

I dont have a specific block rule as it states anything that isnt specified allowed is blocked by default.

I have the default VLAN rules for the retro VLAN disabled (so any in and any out is disabled).  The LAN that the VLAN and other VLANs are on still has the default Allow rule, but the specific VLAN rules should supercede the overall LAN rule I'd think.  Otherwise, why even have rules for the VLANs?

I dont want to disable the default allow rule for the LAN or nothing will work.

Cisco Switch looks fine.  Setup the way it has been.  Ports assigned to proper VLANs and trunked properly.

This was working fine and then stopped.  Nothing on either of my switches has changed.

What else on the switch could be the issue?  They are fully managed Cisco switches

Having a strange issue where it seems like firewall rules are being ignored.

As an example, I have a VLAN that has my retro computers on it.  For that VLAN, I have disabled the default allow all inbound and outbound rules, but computers on my house VLAN can still contact the retro computers when they are running.  I also tried putting in a block rule from my home computer (on my home vlan) to anything in the retro VLAN, but I can still contact the machines.

I dont know what I am missing here, so hoping someone may have some advice.

The one thing that is still in place is the default Allow LAN to any rule for the NIC that these two VLANs (and others) connect to.  Is that rule my issue?  I thought by creating the Virtual Networks, those rules would trump anything on the main LAN rules.  Perhaps I am wrong?

Thanks for the assistance.

My apologies for not responding sooner, but thank you very much for the information.  I appreciate it.

Going to go through the upgrades this weekend.

If I backup my config on 19.1.7, can I restore that config to 21.1 install?

Can you upgrade straight from 19.1.7 to 21.1 via the console?

If so, do you choose option 12 and enter 21.1 and the upgrade runs?

Or do you need to upgrade to something in between first?

Thank you!

Does anyone have or would anyone be kind enough to give a step by step DMZ setup?  Would be for a device on its own VLAN, private IP space...

Just not 100% sure of proper firewall / NAT setup for best perfornance....this will be for a couple gaming consoles.

Thank you...i am going to give this a shot and will report the results.

Looking for some assistance on best way to go about this

I have several VLAN Interfaces setup on my OpnSense FW / Router.  One of the VLANs is blocked from allowing any traffic out or in, so only traffic within the VLAN is permitted (older Windows 9X / DOS / etc machines in a Retro VLAN).  I need to allow just the IP of my NT Server in that VLAN to access DNS from a single IP on another VLAN and also allow the same IP of my NT Server to access File Sharing from a single IP on another VLAN.

Not sure the best way to set this up and get it working....any help is appreciated....