Messages

1

19.7 Legacy Series / Re: Need help with interface based firewall rules

« on: July 19, 2019, 09:08:02 am »

Does one of the Core Members know why it`s not possible to specify both a source interface as well as a destination interface in a single firewall rule in OPNsense?

2

19.7 Legacy Series / Re: Need help with interface based firewall rules

« on: July 18, 2019, 02:31:35 pm »

i mean, in iptables you can match by IP and Interface like:

iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -o eth2 -j ACCEPT

eth0 = LAN
eth1 = DMZ
eth2 = WAN

Which will make sure, that the traffic can not take a diffrent "route". This makes it more specific and easy to handle.

3

19.7 Legacy Series / Re: Need help with interface based firewall rules

« on: July 18, 2019, 02:05:28 pm »

Thanks Maurice and Simser.

Can´t OPNSense not do it properly due to *BSD/pf or because its just not implemented in the GUI?

4

19.7 Legacy Series / Need help with interface based firewall rules

« on: July 18, 2019, 01:25:41 pm »

Hello,

i have a OPNSense Box with 5 Interfaces. To keep it simple i will break it down to 3 Interfaces.

1.) LAN
2.) DMZ
3.) WAN

Like: https://i.stack.imgur.com/aFNLH.jpg

My goal is to allow traffic from the DMZ to the Internet.

How do i do that?

On the IRC Channel, i was told to:
- allow in DMZ Interface to any
- block in the DMZ Interface to LAN

 => which does work, but on a large Setup is dangerous and it gets complicated as hell. For example:
- if you add an IPSec Tunnel, you need to remeber to block it actively on the DMZ Interface
- if you add a route, you need to remeber to block it actively on the DMZ Interface
- if you add a interface or network, you need to remeber to block it actively on the DMZ Interface

Whats the right approach on this?

Thanks,
Mario