"
Thanks Gauss23 and chemlud for all the great advise and details. It'd put me in the right track, helped me understand better and guided me into reading some more useful documentation. Cheers guys!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
20.7 Legacy Series / IPSec site-to-site VPN - Firewall Rules
December 01, 2020, 04:03:21 AM
Hey guys,
First post on here so I'll start by thanking the community for the great work putting OPNSense together!
Also, I'm a newbie on OPNSense fw but been in the IT industry for 25y+, so please bare with me if I don't get all the OPNSense specifics yet.
So far, I built the following basic setup.
Site A: OPNsense 20.7.5-amd64 freshly installed/updated.
Site B: Cisco RV340 with the same type of local setup, a LAN and a WAN leg.
Configuration of the tunnel was pretty straight forward.
It is well established and the two LAN are able to communicate both ways just fine.
But now, I would like to filter traffic in/out between the two LANs from the OPNSense firewall.
Basically I'd like to deny all, then open only using rules according to my needs.
I noticed an automatically generated rule was added in Firewall>Rules>IPSec allowing everything both ways.
IPv4+6 * * * * * * * IPsec internal host to host
I've tried to add a simple rule here to block all traffic (* on protocol, etc) between 2 IP addresses, each being on the two LANs on each side doesn't seems to work as ping/ssh/etc.. still goes through just fine without any limitation.
I used the firewall logs and filters to check and the auto generated rule is kicking in to allow it. See below log for an SSH connection from Site A LAN to Site B LAN:
Interface Time Source Destination Proto Label
IPsec Nov 30 21:12:27 192.168.1.10:38236 192.168.2.23:22 tcp IPsec internal host to host
Any rule I try for blocking communication still let it pass. Of course, I diligently make sure to save and apply during my tests.
Does anyone has any idea on what I'm missing?
Thanks a lot.
Florian
First post on here so I'll start by thanking the community for the great work putting OPNSense together!
Also, I'm a newbie on OPNSense fw but been in the IT industry for 25y+, so please bare with me if I don't get all the OPNSense specifics yet.
So far, I built the following basic setup.
Site A: OPNsense 20.7.5-amd64 freshly installed/updated.
- Only 2 interfaces for LAN and WAN.
- LAN network is a basic class C private network.
- No double NAT, WAN has public address delivered by the ISP.
- A simple IPSec site-to-site tunnel to another location with specific advanced parameters like "Install policy" all let by default.
Site B: Cisco RV340 with the same type of local setup, a LAN and a WAN leg.
Configuration of the tunnel was pretty straight forward.
It is well established and the two LAN are able to communicate both ways just fine.
But now, I would like to filter traffic in/out between the two LANs from the OPNSense firewall.
Basically I'd like to deny all, then open only using rules according to my needs.
I noticed an automatically generated rule was added in Firewall>Rules>IPSec allowing everything both ways.
IPv4+6 * * * * * * * IPsec internal host to host
I've tried to add a simple rule here to block all traffic (* on protocol, etc) between 2 IP addresses, each being on the two LANs on each side doesn't seems to work as ping/ssh/etc.. still goes through just fine without any limitation.
I used the firewall logs and filters to check and the auto generated rule is kicking in to allow it. See below log for an SSH connection from Site A LAN to Site B LAN:
Interface Time Source Destination Proto Label
IPsec Nov 30 21:12:27 192.168.1.10:38236 192.168.2.23:22 tcp IPsec internal host to host
Any rule I try for blocking communication still let it pass. Of course, I diligently make sure to save and apply during my tests.
Does anyone has any idea on what I'm missing?
Thanks a lot.
Florian
Pages1
