Messages

1

General Discussion / Re: Firewall Rules - WAN address/ net

« on: April 07, 2022, 12:28:41 pm »

Okay i see.
I thought it would be a bigger deal, but having an "out" rule, works just as well.

Your problem sounds interesting.
The labeling can be done via tags in the firewall rules, right?
Haven't found a use-case yet, where i could make use of them unfortunately.

2

General Discussion / Re: Firewall Rules - WAN address/ net

« on: April 07, 2022, 12:41:41 am »

Yeah, that's kind of what i thought also and clears things up. Thank you!

Also it leaves me with another question.
If i have multiple interfaces (e.g. WAN, LAN, DMZ) is it possible to restrict the DMZ so that it can only ping/ request data from WAN?

3

General Discussion / Firewall Rules - WAN address/ net

« on: April 06, 2022, 11:33:03 pm »

Hi,

so basically by accident i stumbled upon this.
In my setup i have a router from the ISP and behind that is my OPNsense.

So, i was playing around with ICMP on my firewall (DNS resolution works) and i have two scenarios.

1. Destination = *
2. Destination = WAN net/ address

Now the second doesn't work (Blocked by default deny), so i was wondering if maybe my understanding of WAN net is wrong.
I thought of it as all IP addresses "behind" the WAN IP-Address (basically the Internet).

However, that doesn't seem the case?
I am completely lost and i think i just completely misunderstood something and really appreciate any help!

4

General Discussion / Re: IPv6 Configuration Type - LAN

« on: March 31, 2022, 12:16:36 pm »

Thanks for both answers.

Makes total sense now!

Cheers!

5

General Discussion / IPv6 Configuration Type - LAN

« on: March 30, 2022, 09:35:32 pm »

Hi,

i am slowly getting into IPv6 and trying to set it up the first time.
Now, i was watching a tutorial where the IPv6 Configuration Type for the LAN Interface was set to static.

Now, what would be a reason for this?

As far as i understand the Track Interface option, carries the Network-Prefix over to the LAN side (which is necessary because no NAT).
So it might workout if the WAN IPv6 Configuration Type is SLAAC, but fails with DHCPv6.
It just seems like an unnecessary risk.

6

General Discussion / Re: Force all devices to use the ntpd server

« on: March 25, 2022, 01:20:05 pm »

Yess that's it! Thank you!
 
I had set it to local redirect or something.. never thought that would be the problem.

7

General Discussion / Re: Force all devices to use the ntpd server

« on: March 25, 2022, 12:10:55 pm »

Thanks for that answer.

However, i am not sure i understand it correctly.

Selecting from 'Redirect Target IP' does not give me the option to select 'LAN address'.

The interface of the NTP server is on the localhost of the OPNsense server, so isn't 127.0.0.1 correct for 'Redirect Target IP'?

br

8

General Discussion / Force all devices to use the ntpd server

« on: March 24, 2022, 11:29:33 pm »

I am new to OPNsense and was reading through my blocked traffic to see that my rules apply correctly when i noticed the block of NTP requests since i do have that port blocked for requests to WAN.

Now i read up and figured that you can reroute all NTP traffic to the inbuilt ntpd-server.
Now i want essentially the same as here in this thread https://forum.opnsense.org/index.php?topic=6492.0.
Unfortunately the linked image got lost, however i am still confident that my configuration is mostly correct.
.. yet it doesn't work.

I have a NAT:Port Forwarding rule configured:
     

Code: [Select]

Interface:        LAN
TCP/IP:           v4
Protocol:         UDP
Source:           LAN net
Destination
Invert:           check
Destination:      LAN net
Destination
port range:       NTP-NTP
Redirect
target IP:        127.0.0.1
Redirect
target port:       NTP
Pool options:     default
NAT reflection:   Disable
Also i checked whether the ntpd-server is actually running which looks pretty good:

Code: [Select]

sockstat -l | grep :123
root     ntpd       83772 20 udp6   *:123                 *:*
root     ntpd       83772 21 udp4   *:123                 *:*
root     ntpd       83772 22 udp4   192.168.1.1:123       *:*
root     ntpd       83772 23 udp6   ::1:123               *:*
root     ntpd       83772 24 udp4   127.0.0.1:123         *:*

When i activate logging i can see that the NAT is matched for all WAN requests to port 123.
Tested with:

Code: [Select]

sntp -t 15 0.arch.pool.ntp.org
I am pretty sure there must be a simple explanation/ solution. However currently i am just stuck.
Help is much appreciated!