1
General Discussion / Re: How to add port to network alias
« on: March 18, 2023, 08:04:58 pm »
Sorry my bad! It is possible to specify a port when I changed the protocol.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.
Interface | Source | Destination | Proto | Label |
IoT20 | 192.168.72.251:5353 | 224.0.0.251:5353 | udp | Default deny / state violation rulel |
Just so you know, the internet is working from your last rule, 53 just resolves addresses.Yea I did notice that internet worked I'm really thankful for all help and explanation. Since I'm not that confidente with firewalls, I need to double check or see that some one else did something similar.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.
Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.
Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.
This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.
Source | Destination | Proto |
192.168.30.10:3712 | 192.168.30.1:53 | udp |
192.168.30.10:13311 | 192.168.30.1:53 | udp |
Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...The managed switch is on its way. Not for this purpose but at least I have the posibility to use it for this as well if I want to. But perhaps more vlan's could be an option, or that is what I mainly will use. But more or less what I were thinking of was the IoT vlan. Really no point of make it possible for some of the devices/brands to have the posibility to talk to other brands. For an example, a smart light button doesn't need to talk to a smart vacium cleaner.
It all depends on your specific requirements.
If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.
HTH,
Patrick
Think about it. Do you need a router to connect devices to each other??Yep that's a good point!
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.
You need to configure your PC to an IP address in the 192.168.5.x/24 network to access the web interface again.
You can set the interface IP addresses through the console
If I connect directly to my opnSense hardware (hdmi) and starts it up, it does say when it list my interfaces that the lan ip is 192.168.5.19. I don't really know how to continue on this, is it possible to reset the lan ip's to default or something?
I tried to login but it said something that it was unable to do that trough this environment (or something similar). My admin user is disabled..
Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.