Messages

Sorry my bad! It is possible to specify a port when I changed the protocol.

I want to simplify some firewall rules and combine them into one. Today I have  have two broadcasting addresses with ip 255.255.255.255/24 and 239.255.255.255/24 on port 1900.
So I created an alias of type network(s) and added 255.255.255.255/24 and 239.255.255.255/24 but in that context I can't add the port 1900. But it does'nt seems to be possible in the "add rule" context either after I selected the alias.

Am I doing this wrong or do you have any advice? The best of both worlds would be if it was possible to add
255.255.255.255/24 and 239.255.255.255/24 on port 1900 and 224.0.0.251/24 on port 5353. And combine those three addresses into one alias.

Another block from my rfc198 rule was from my computer to destionation 192.168.30.255:137 (udp). I guess that this should be allowed as well? As I said previously, the point is not to block internal sub network / in the own vlan requests.

By the way, is 192.168.30.255 used to communicate to the hole network?

Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

I got a block from 192.168.30.10:49314 (phone) to destination 192.168.30.1:853 becasue of the rfc1918 block rule. It seems to be a DNS query again so I guess this should be opened.
Or if I change the argument, is this a request in to another vlan? No it isn't! Then open it... could be a valid statement to use to know if those request should be opened or not?

Another solution is maybe to allow all 192.168.30.1 (gateway) request instead of opening those specific ports?

[20]

Im woundering why it is so that I see this block on my IoT 192.168.20.x vlan when source is 224.0.0.251:5353 (seems to be a multicast address) and destination is 192.168.72.251:5353 (or 192.168.72.180, 192.168.72.176, 192.168.72.8 ).
I havn't any 192.168.72.x vlan in my network so why is it heading for that sub network?

Before I got my opnsense solution I had another router (without vlands) that were running on 192.168.72.1 by default.
The only thing that I previously had a static ip on the unit was my shelly devices. But all of them are moved to 192.168.20.1. Could there be some old settings that is still in use? Will opnsense present the static ip on the unit even if it has in practice a 192.168.20.x ip? I can't see any 192.168.72.x ips in dhcp leases .

Interface	Source	Destination	Proto	Label
IoT20	192.168.72.251:5353	224.0.0.251:5353	udp	Default deny / state violation rulel

Just so you know, the internet is working from your last rule, 53 just resolves addresses.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.

Yea I did notice that internet worked :) I'm really thankful for all help and explanation. Since I'm not that confidente with firewalls, I need to double check or see that some one else did something similar.
For an example, rfc1918 did I see from some youtubers. But non of them opened any port afterwards so that's why I got a bit confused if I did the right thing.

However, thank you! :)

Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

Yea, I'll change to home30 addresses instead. Is it really neceassary to add http and https to that port alias? since internet works when port 53 is enabled?

Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.

This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.

Perhaps it's good to enable logging for that rule, so I know if there are any blocks that shouldn't be blocked.

See my attachment.

I've enabled RFC1918 and it works. But I got another issue, if I'm connection for an exampel my phone to that vlan that have this firewall rule I loose internet connection and the log writes out that it blocked those onse and similar with the different destination port.
My vlan is 192.168.30.x and as you can see my phone is 192.168.30.10. Should I make a rule and enable 192.168.30.1 for udp?

Source	Destination	Proto
192.168.30.10:3712	192.168.30.1:53	udp
192.168.30.10:13311	192.168.30.1:53	udp

I did setup wireguard on a specific vlan using this https://forum.opnsense.org/index.php?topic=21205.0 (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)

After that I started to get this "error" in the browser (using firefox). First it wait/spinns for a while and then this message. If I refresh the page it works instantly.
------------------------------------------------------------------------
Hmm. We're having trouble finding that site.

We can't connect to the server at www.dummy.com. Did you mean to go to www.dummy.com?

If you entered the right address, you can:

• Try again later
• Check your network connection
• Check that Firefox has permission to access the web (you might be connected but behind a firewall)

------------------------------------------------------------------------
   

Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...

It all depends on your specific requirements.

If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.

HTH,
Patrick

The managed switch is on its way. Not for this purpose but at least I have the posibility to use it for this as well if I want to. But perhaps more vlan's could be an option, or that is what I mainly will use. But more or less what I were thinking of was the IoT vlan. Really no point of make it possible for some of the devices/brands to have the posibility to talk to other brands. For an example, a smart light button doesn't need to talk to a smart vacium cleaner.
But perhaps you just make it to complex because the next day you want to have an light turned on when to vacium cleaner drives around (or what ever..). Only an example, I don't even own a smart vacium cleaner :)

Think about it. Do you need a router to connect devices to each other??
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.

Yep that's a good point!

You need to configure your PC to an IP address in the 192.168.5.x/24 network to access the web interface again.

Awesome it works! Thanks!! :)

Isn't it the console? Im new a opnsense so I might missunderstand but I'm not at the browser..

You can set the interface IP addresses through the console

If I connect directly to my opnSense hardware (hdmi) and starts it up, it does say when it list my interfaces that the lan ip is 192.168.5.19. I don't really know how to continue on this, is it possible to reset the lan ip's to default or something?

I tried to login but it said something that it was unable to do that trough this environment (or something similar). My admin user is disabled..

[5]

I've previously changed the default ip on opnSense from 192.168.1.1 to 192.168.1.19 trough the installation wizard.
Now I wanted to change it again, so I changed it directly trough the interface [Lan] row where it said "192.168.1.19" to "192.168.5.19".
After that I can't "find" opnSense trough the url anymore and that port only gives me an "unidentified network" when connecting to it.

If I connect directly to my opnSense hardware (hdmi) and starts it up, it does say when it list my interfaces that the lan ip is 192.168.5.19. I don't really know how to continue on this, is it possible to reset the lan ip's to default or something?

I tried to login but it said something that it was unable to do that trough this environment (or something similar). My admin user is disabled..

Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.

Ok intresting, didn't know that. However the problem was that my computers had a network profile that were preventing others from see me.

Regarding that subnet doesn't go trough the firewall, in that case it's impossible on a network level to prevent every device on a vlan to see other devices on the same vlan?