Messages

1

General Discussion / firewall rules are not working for some vlans

« on: June 23, 2021, 05:22:50 pm »

I am trying to set up a new router box and for some reason I cannot get dns to work on some vlans. I am trying to use the rule interface: source this net any port, dest this addr dns(53) port and it works for some vlans but not others unless i change dest to any which bypasses the need to separate vlan traffic. This is with unbound and allowed on all interfaces. I tried using a single network for dns and that didn't work either. Any suggestions? subnets range across all RFC1918 address space. I am building a network for home and work needs for qa testing. I am running lacp (3 port) to the main switch, and I am thinking of using the 4th port as a master for the webui, dns, ssh, all opnsense services and just use the lagg as inter-network and wan traffic. I have the firewall set up in hybrid mode, no auto reflection options.


Suggestions?

2

General Discussion / Re: Firewall Source/Dest setting question

« on: June 02, 2021, 09:37:21 pm »

Found the answer. Just had to give up and register on the forums for google searches previously typed in to finally give relevant results. Looks like, net is traffic to the subnet and address is traffic to network addresses. (not sure what the difference is) (NET matches anything on that subnet, and the address matches only the IP address assigned to the router on that subnet.)

So net would be the subnet 172.17.150.0/26
And address would be: 172.17.150.1

So pinging a device at 172.17.150.10 Only works when Dest is set to net and not address but i can ping the networks router in either setting.

So like most things, works opposite than what makes sense to those that do not have a degree in iptables rules.

3

General Discussion / Firewall Source/Dest setting question [SOLVED]

« on: June 02, 2021, 05:38:37 pm »

Hello everyone, first time poster here, have been using OPNSense for many years now. I am building a new box for my network so i can retire the old one. So i am setting up the rules for the vlans. I have tried searching google for this and after hours google is no longer giving me results that contain the words i type into the search box. I just have one question.

What is the difference between interface net vs interface address?

vLan setup:
vLan 10: 172.17.150.0/26
vLan 40: 192.168.245.0/24

For example, vLan 40 and vLan 10. i want to enable traffic from 40 to 10 so i put in a [allow] rule for interface vLan 40 for source vLan 40 net -> Dest vLan 10 net. And it works

Now i want to test with vLan address:
For example, vLan 40 and vLan 10. i want to enable traffic from 40 to 10 so i put in a [allow] rule for interface vLan 40 for source vLan 40 net -> Dest vLan 10 address. And it works

I am testing by being able to ping a host and reach the webgui on the other address. If i disable the rule then traffic is blocked per expected.

What is the difference and when would i want to use network or address?