OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of ubear »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - ubear

Pages: [1]
1
General Discussion / [Help Needed] Block outgoing ping
« on: August 18, 2024, 03:33:34 pm »
Hello wise people!
I have the following setup:
LAN and 7 VLAN's on igb0
Primary WAN on igb1
Fallback WAN2 on igb2

Q1: I want to block ping from all LAN and VLAN's to any external addresses (WAN or WAN2) while preserving ping within my network.
My attempt for WAN: created an OUT rule on WAN that (PASS or BLOCK) IPV4 ICMP packets. both modes blocked the outgoing ping, WHY?

Q2: I want to enable outgoing ping from ONE particular host for speedtest. Adding such a rule (pass, from 192.168.60.10 to any, IPV4, ICMP) below or above the  previously mentioned rule has no effect. Why?

Why block ICMP:
https://socfortress.medium.com/data-exfiltration-using-icmp-and-how-to-detect-it-69a799cca234
https://medium.com/@sam.rothlisberger/icmp-echo-request-data-exfiltration-f41f59fcf87a
https://github.com/martinoj2009/ICMPExfil

Why block on WAN-OUT:
Because I heve 8 internal networks. one rule to block all ICMP plus 7 rules to allow ICMP to other internal LAN's is 64 rules to write.

Many thanks
Uri

2
General Discussion / Please help: How to access an upstream router that has local address
« on: December 26, 2021, 09:56:56 am »
Hello
my OPNsense instance is downstream from my ISP modem/router, my WAN address is 192.168.1.17.
I want to access the modem configuration page at 192.168.1.1 from my VLAN 192.168.40.1/24.
How should I configure the firewall/interfaces?
Tried:
1. Removed the tick at interfaces->WAN->Block local addresses
2. Created a local rule at VLAN40 to allow access to 192.168.1.1, placed first after standard no-lockout rules.

Advice?
Thanks
Uri

3
General Discussion / Re: VLAN's drive me crazy
« on: February 19, 2021, 08:52:21 am »
Thank you VERY much!
That did the trick!

My trust in machines (and people) is restored!

Thanks again
Uri

4
General Discussion / VLAN's drive me crazy
« on: February 18, 2021, 10:05:59 am »
Hello wise and mighty people.
I am using OPNsense for a SOHO environment with TP-Link smart switches such as TP-SG108E.
I have ~50 client machines on the LAN side of my OPNsense.
I have recently got it into my head to use VLAN's and it's driving me crazy:

on OPNsense:
i set up the 3 VLAN's on the OPNsense LAN line.
Base: DHCP is set 192.168.2.100-199 on LAN line
DHCP is set 192.168.40.100-199 on VLAN40
DHCP is set 192.168.50.100-199 on VLAN50
DHCP is set 192.168.60.100-199 on VLAN60

The smart switch is connected to the LAN line:
One trunk  port(8) is assigned to VLAN 40,50 and 50.
port 1 assigned to VLAN 40
port 2 assigned to VLAN 50
port 3 assigned to VLAN 60

Note: TP-link switches will ALWAYS pass VLAN 1 (un tagged packets) to all ports to prevent control lockout.

Problem:
When I connect my laptop to ANY port on the switch, I get the same 192.168.2.100 address.
I expected to connect the laptop to port 1 of the switch and get an IP 192.168.40.100 but got 192.168.2.100

Thoughts: Since the switch passes VLAN1 in any case, perhaps this DHCP server answers first? Can I change the order of DHCP servers?

Thanks
Uri

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2