Messages

Following your explanations I have a better understanding of how OPNSense manages its firewall rules, thank you for that

Now I deleted all my NAT & FW rules and decided to begin from scratch. I create a NAT rule allowing traffic on HTTPS from any source to my reverse proxy. I didn't chose to attache a FW rule automatically or whatever.

I then created a FW rule in WAN interface allowing ony Cloudflare IPs to join my reverse proxy.

And it seems to work !

Is it the proper way to do or can it be improved/hardened ?

I never check "pass" but instead create an associated filter rule

Ok maybe you need all of the WAN rules ? Because the screenshot of my NAT rules is the complete list.

After looking in the logs every attempt from a non authorized IPs is allowed and match the "let out anything from firewall host itself" rule I don't understand why the rules created in the WAN interface don't apply ?

Let me know if I can be clearer:

I want all incoming connections on port 80 & 443 to blocked on the Wan interface except the ones coming from Cloudflare IPs.

I created the rules in the Wan interface as you can see in my screenshot, but theses rules seems uneffectives.

I tested the access from other IPs than my network (VPN, 5G network, Work,etc) and I still can access these ports.

My NAT Rules and WAN rules are attached for context, there is nothing else relevant I think ?

Yes I tried from outside my network
Sorry for that 2nd sentence I corrected it

Hello,
I'm trying to limit all incoming connections on my FW to Cloudflare IPs only (on 80 & 443 ports)
I created the alias with the list from Cloudflare and it's updating without issue.
I created my rules but it's still possible to connect with any IP (testing with a VPN)
If I add the Cloudflare IPs in my NAT rules I can't access anything.

I attached my NAT & WAN rules

If anyone can help that would be greatly appreciated !

Hello everyone
I have an issue with my router sometimes after a few days I lose Internet connectivity and everything is fine after a reboot.
I'm in the process of trying to find what causes this but in the meantime I'd like to find a temporary fix.
Is it possible to reboot the opnsense box (or restart the WAN interface) if Internet access is dow ?
Has someone ever done that ?
Thakns for your help !

Hello

After a reboot of my VM all the network interfaces names changes (igb2 became igb0 etc...). I reassigned the interface to the correct NIC and I have Internet access.
For a reason I can't figure my DMZ is now unreachable from the outside. NAT and FW hasn't changed though.

Thanks for your help