Messages

1

General Discussion / Re: Firewal rules only apply to DHCP clients?

« on: February 18, 2023, 01:15:43 pm »

As I too feel, as I was reading your post you are having DNS issues not a routing issue. 

yeah..  the more i'm watching things, this seems to be the problem.

I am using a Zyxel XGS1210-12 switch - and it is currently set to DHCP.  Even if I wanted to set the IP manually in the zyxel gui, there is no DNS field (you know, so i couldn't mess that up). 

Plugging in an extra PC to one of the switches other ports, with the PC set also to DHCP, the internet is still not working because this new pc is trying to ping the subnet gateway (at DNS port) for dns requests. 

This seems like OK behavior right?  I mean, something inside my settings is telling DHCP to serve the gateway address as DNS server.  But of course my firewall rules for this subnet are not applying since the subnet's gateway is indeed part of the internal network.

Is it OK (or normal) to need a firewall rule to allow dns requests through the gateway?  I haven't seen anything like this in the many guides I have read.  It seems logical but maybe there is something unsafe about it that I am not aware.

Thanks

2

General Discussion / Firewal rules only apply to DHCP clients?

« on: February 17, 2023, 06:40:30 pm »

Hi all..  I'm just getting my feet wet with OPNsense and more detailed network management for my home setup.  Ultimately looking for network separation for work, iot, etc etc.

I am running version 23.1 on a protectli box with 4 nics, and so far have WAN, LAN, OPT1 configured so that LAN is sort of a master subnet with access to everything and OPT1 is going to be where all my subnets live.  I'm using physical subnets for now so that I can build a better understanding before getting into 802.11Q configurations.

Yesterday I was having some problem getting internet on OPT1 even tho I set a firewall rule that allowed for any connections outside of the 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 networks.  DHCP was enabled for a slice of the subnet but I had a switch connected to OPT1 and then an WAP also connected to the switch with static IPs set outside of that range.

[OPT1] -> [SWITCH /static] -> [WAP /static]

With this setup i was able to verify with my iPhone that I got a DHCP reservation on the correct subnet, but no internet.  I enabled logging on the firewall rule created above but nothing showed up in the log, so nothing was matching my rule. 

I finally went back into both my switch and my wap to enable them as DHCP clients, and viola, firewall rules started taking effect and I was able to reach the internet. 

So, my main question is, is there some reason that the selection of [OPT1 Net] applies only to addresses handed out by DHCP?   

My other suspicion is that DNS is not working properly unless clients are auto-assigned everything by DHCP.  But here also I do not know the proper configuration.  It does appear that all my internet requests come through with DNS requests to the OPT1 gateway address, and thus are blocked by a floating 'block all' rule.  In this case do I simply add another rule to allow OPT1 clients access to the gateway for DNS requests or is there something fundamentally wrong with this?

Sorry this got to be a long post!