Messages

Does one of the Core Members know why it`s not possible to specify both a source interface as well as a destination interface in a single firewall rule in OPNsense?

[and]

i mean, in iptables you can match by IP and Interface like:

iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -o eth2 -j ACCEPT

eth0 = LAN
eth1 = DMZ
eth2 = WAN

Which will make sure, that the traffic can not take a diffrent "route". This makes it more specific and easy to handle.

Thanks Maurice and Simser.

Can´t OPNSense not do it properly due to *BSD/pf or because its just not implemented in the GUI?

[remeber]

Hello,

i have a OPNSense Box with 5 Interfaces. To keep it simple i will break it down to 3 Interfaces.

1.) LAN
2.) DMZ
3.) WAN

Like: https://i.stack.imgur.com/aFNLH.jpg

My goal is to allow traffic from the DMZ to the Internet.

How do i do that?

On the IRC Channel, i was told to:
- allow in DMZ Interface to any
- block in the DMZ Interface to LAN

=> which does work, but on a large Setup is dangerous and it gets complicated as hell. For example:
- if you add an IPSec Tunnel, you need to remeber to block it actively on the DMZ Interface
- if you add a route, you need to remeber to block it actively on the DMZ Interface
- if you add a interface or network, you need to remeber to block it actively on the DMZ Interface

Whats the right approach on this?

Thanks,
Mario