"
Hi Opnsense wizards,
I am slowly losing steam with Opnsense and wonder if I have to go back to pfsense, where I never had this problem... But maybe I am just overseeing something obvious?
I am running OPNsense 19.7.6-amd64 and I have three NICs on my device. One is bound to the external GW, one to the LAN and one is my DMZ. So far so good. I can access the Internet from both the LAN and DMZ networks, I can access the DMZ from the LAN (also as expected), but I cannot prohibit connections from DMZ to LAN. The latter is absolutely necessary for me, otherwise it is not a DMZ.
I have tried the following:
- Added a rule on the DMZ interface, type "Block" direction out with the destination being the whole LAN network (/24) and the rest pretty much any/any as suggested by Opnsense.
- Added a rule on the LAN interface, type "Block" where the source is the DMZ network (also /24).
- At this point there are no exceptions defined; i.e. no other firewall rules. All of the rules are "first match".
With this, I still have bidirectional connectivity between LAN and DMZ and I don't understand why. I have flushed the states table and rebooted the firewall multiple times without any results.
What I am trying to get is:
- Both LAN and DMZ can talk to the Internet
- LAN can talk to everything on all ports in the DMZ
- DMZ can talk to a single IP in LAN via SSH only
- OpenVPN terminates in LAN with the aforementioned access as LAN (this seems to work)
Anything that could be wrong here?
Thanks for any hints...
Christian
I am slowly losing steam with Opnsense and wonder if I have to go back to pfsense, where I never had this problem... But maybe I am just overseeing something obvious?
I am running OPNsense 19.7.6-amd64 and I have three NICs on my device. One is bound to the external GW, one to the LAN and one is my DMZ. So far so good. I can access the Internet from both the LAN and DMZ networks, I can access the DMZ from the LAN (also as expected), but I cannot prohibit connections from DMZ to LAN. The latter is absolutely necessary for me, otherwise it is not a DMZ.
I have tried the following:
- Added a rule on the DMZ interface, type "Block" direction out with the destination being the whole LAN network (/24) and the rest pretty much any/any as suggested by Opnsense.
- Added a rule on the LAN interface, type "Block" where the source is the DMZ network (also /24).
- At this point there are no exceptions defined; i.e. no other firewall rules. All of the rules are "first match".
With this, I still have bidirectional connectivity between LAN and DMZ and I don't understand why. I have flushed the states table and rebooted the firewall multiple times without any results.
What I am trying to get is:
- Both LAN and DMZ can talk to the Internet
- LAN can talk to everything on all ports in the DMZ
- DMZ can talk to a single IP in LAN via SSH only
- OpenVPN terminates in LAN with the aforementioned access as LAN (this seems to work)
Anything that could be wrong here?
Thanks for any hints...
Christian
