1
General Discussion / OPNsense ignore my Rule set
« on: May 19, 2020, 08:34:17 am »
Hello,
I'm just working on my first OPNsense rule setting. I have experience with pfSense and I'm desperate.
My OPNsense installation refers to version 20.1.
The basic configuration has created two rules for the LAN interface. Each for IPv4 and IPv6 according to the motto "everything can go through". A separate set of rules should only allow data traffic for one computer in the LAN in my example. To block in the last instance everything that could not be regulated by previous rules I have also taken this into my setting. I know that this will be considered automatically, but I want to log the blocked traffic. The following lines should illustrate the order and simplified logic:
Allow IPv4 TCP/IP Host 192.168.230.10/24 Port 443, 53
Block IPv4 TCP/IP LAN net
Allow IPv4 TCP/IP LAN net
Allow IPv6 TCP/IP LAN net
My state of knowledge says that all rules are worked out from top to down.
If I deactivate the pre-installed last two rules, which allow everything, nothing works. However, an automatically generated block rule from the "Floating Rules" is used. I'm still too vague about the floating rules and especially the automatically generated rules behind. What exactly is behind this and how do I have influence on these automatic rules?
For a better overview my diagram:
Internet
:
: Cable-Provider (for the internet)
:
.-----+-----.
| Gateway | (Fritzbox as router and integrated cable modem)
'-----+-----' LAN: 10.110.180.10
|
|
|
.-----+------. WAN: 10.110.180.110 (Gateway: 10.110.180.10)
| OPNsense |
'-----+------' LAN: 192.168.230.10
|
|
PC (192.168.230.210)
Thank you and best regards,
fm
I'm just working on my first OPNsense rule setting. I have experience with pfSense and I'm desperate.
My OPNsense installation refers to version 20.1.
The basic configuration has created two rules for the LAN interface. Each for IPv4 and IPv6 according to the motto "everything can go through". A separate set of rules should only allow data traffic for one computer in the LAN in my example. To block in the last instance everything that could not be regulated by previous rules I have also taken this into my setting. I know that this will be considered automatically, but I want to log the blocked traffic. The following lines should illustrate the order and simplified logic:
Allow IPv4 TCP/IP Host 192.168.230.10/24 Port 443, 53
Block IPv4 TCP/IP LAN net
Allow IPv4 TCP/IP LAN net
Allow IPv6 TCP/IP LAN net
My state of knowledge says that all rules are worked out from top to down.
If I deactivate the pre-installed last two rules, which allow everything, nothing works. However, an automatically generated block rule from the "Floating Rules" is used. I'm still too vague about the floating rules and especially the automatically generated rules behind. What exactly is behind this and how do I have influence on these automatic rules?
For a better overview my diagram:
Internet
:
: Cable-Provider (for the internet)
:
.-----+-----.
| Gateway | (Fritzbox as router and integrated cable modem)
'-----+-----' LAN: 10.110.180.10
|
|
|
.-----+------. WAN: 10.110.180.110 (Gateway: 10.110.180.10)
| OPNsense |
'-----+------' LAN: 192.168.230.10
|
|
PC (192.168.230.210)
Thank you and best regards,
fm