Messages

1

General Discussion / Re: Moving Opnsense to new Proxmox host - VLAN's dropping with interface change

« on: July 07, 2023, 07:48:30 am »

After restore in Proxmox I manually edited /conf/config.xml and changed all references to em1 with igb0 and it seems to be working. All VLAN's retained and firewall rules all working.

Not sure if this is the correct solution.

2

General Discussion / Moving Opnsense to new Proxmox host - VLAN's dropping with interface change

« on: July 07, 2023, 04:33:27 am »

I have Opnsense running virtualised on Proxmox (been running perfecting for over a year now). The reason I decided to virtualise was to allow seamless change across hardware if I ever had failures.

I decided to upgrade Proxmox host and now have a better machine with an Intel i350 NIC. Because the interface has changed from "em1" (old Proxmox NIC) to "igb1" (new Proxmox host) all the VLAN's dropped off because of the parent interface change. This means all firewall rules have gone etc.

I reconfigured the original VM and enabled "Prevent interface removal" and copied across to new Proxmox host but the VLAN interfaces still disappear.

I had hoped I could re-assign VLAN parent interface to each VLAN and retain my firewall rules etc.

3

General Discussion / Re: New user firewall help

« on: July 14, 2022, 07:55:42 am »

Ok thanks.

4

General Discussion / Re: New user firewall help

« on: July 14, 2022, 05:41:11 am »

I looked at the live query and noticed that DNS traffic is allowed from 192.168.13.51 to 192.168.10.4. The live query lable says "let out anything from firewall host itself". I don't get this. How is it considered "firewall host itself" when the source IP is 192.168.13.51?

5

General Discussion / Re: New user firewall help

« on: July 14, 2022, 05:19:00 am »

'LAN' interface is 192.168.10.1/24
'KIDS' interface IP is 192.168.13.1/24

If the default KIDS firewall rule lets all traffic from 192.168.13.0/24 to the KIDS interface 192.168.13.1/24 how are clients on KIDS network able to access any 192.168.10.0/24 resource? I have now confirmed KIDS client can hit a webserver onm 192.168.10.4/24 and ping that host as well.

6

General Discussion / Re: New user firewall help

« on: July 14, 2022, 04:55:18 am »

Default firewall rules. Enabling / disabling the LAN net DNS rule in screenshot has no effect. KIDS net clients can access any 192.168.10.0/24 subnet address. I know I am misunderstanding some concept here, I just can't work out what. From reading the OPNsense docs the firewall rules apply to ingress traffic to an interface so LAN rules apply from traffic coming into the LAN interface from other interfaces / subnets.

It is as if 192.168.13.0/24 addresses (KIDS) are somehow part of the 'LAN net' definition.

7

General Discussion / New user firewall help

« on: July 14, 2022, 04:44:42 am »

I have a new OPNsense installation with a few VLAN's being given to wireless clients by a Unifi AP.

I am running Unbound DNS on OPNSense that uses DNS over TLS and DHCP gives clients the piHole server for DNS. piHole forwards queries to Unbound DNS on OPNSense to make use of DNS over TLS.

I would like to have clients on the VLAN's use the 192.168.10.4 DNS server but nothing else. The LAN interface have the default firewall rule to accept all from 'LAN net' and the KIDS interface has default rule to accept all from 'KIDS net'.

I cannot work out why DNS requests from the KIDS network (192.168.13.0/24) is being allowed to LAN net (192.168.10.0/24).

Why is the 'Source' 'LAN net' allowing traffic from 192.168.13.0/24?