Messages

1

General Discussion / Re: VoIP phones behind Opnsense

« on: February 04, 2024, 11:14:09 am »

Yeah I thought about setting up a FreePBX as I used to have one but since I was running pfSense with the sip proxy and my 2 phones were working (I only have 1 public IP) I was hoping there was a solution for opnSense. I tried the sip proxy plug-in but it didn’t work … not sure if I misconfigured it or it was just not working … 

I guess I’ll have to see if I want to setup another FreePBX or simply return to pfSense 

2

General Discussion / VoIP phones behind Opnsense

« on: February 03, 2024, 06:26:26 pm »

Hello,

Just switched from the other sense and I’m trying to figure out how to configure my 2 IP phones. I have a VLAN for the VoIP phones (2 devices), I have a NAT rule and can make 1 phone work but not both. I created an Alias but I don’t think I can NAT to 2 different IPs …

I tried the SIP proxy since I was using it on pfsense but it doesn’t work as well ….. doesn’t work at all I should say.

Anyone managed to configure more than 1 VoIP phone behind Opnsense? I am not using a PBX, each phone registered online through my VoIP provider.

Any input appreciated.

Thanks!!

3

Tutorials and FAQs / Re: All my rules show let out anything from firewall host itself

« on: February 02, 2024, 01:53:28 am »

Thanks for the good advice, greatly appreciated. I know for a fact that IoT devices are a bit tricky ion the way where some if not most are hardcoded .... I will keep an eye on my logs like you said. I was also doing some reading on Zenarmor as some of its features could be useful as I read...

4

Tutorials and FAQs / Re: All my rules show let out anything from firewall host itself

« on: February 01, 2024, 12:32:10 pm »

Thanks for the tip and the write up. I do have quite a few VLAN: LAN and Surveillance cameras are on physical interface as well as my DMZ then IOT, Guests, Kids, VoIP are VLANS. I find it easier to manage when it’s segmented like that. I will add you rule and redirect those dns queries to my Ad-Guard. I used it to filter so ads and apps especially for the kids VLAN. So far it’s working great. My IoT VLAN does a lot of pings too, the gateway and to my DNS servers etc which I blocked …

The big part of My install is almost done now. Got my voip working last night which is a plus! Just need some fine tuning now and check the logs for anomalies. I’ll have to setup my vpn as well within the next few days.

So far opnsense seems to be a decent firewall, I like the simplicity of some of the options like the GeoIP which I use combined with blocking ET using IP list…

5

Tutorials and FAQs / Re: All my rules show let out anything from firewall host itself

« on: February 01, 2024, 01:01:56 am »

It most probably as well will depending the device on the LAN,

Reason is some devices (mostly IoT and even TVs) have preconfigured primary DNS servers 8.8.8.8 & 8.8.4.4, by having any to any rule towards non Private subnets. Such devices will always try to reach those Destinations before using your own or dedicated DNS server.

I did solve this by extremely restrict internet access to only HTTPs. And allow DNS only for my Pihole. from what I can see such hardcoded devices first try their hard coded DNS server, once their can not reach it they use the fallback DNS provided by DHCP.

Also Such devices tent to as well ping using ICMP those hardcoded DNS servers. I have specific rules that block any communication for Google DNS servers to force them use my selfhosted DNS on Pihole.

Regards,
S.

I have those device, I agree with you that some are hardcoded as I can see Google DNS requests from my internal network which I do not use. I pass the Ad-Guards servers as DNS to all my clients, then Ad-Guard queries are encrypted to the Internet.

I think that if I do not log the rule I created, then it shows let out anything from firewall host itself ... everything is working as intended, if I deactivate the rule as a test, Internet stop working since DNS are unavailable... I thing it's just the way Opnsense logs the queries. I deactivated the log allow rules and I don't see those now anymore. I could do another test and logs all my rules to see if that's what the log shows actually....

6

Tutorials and FAQs / Re: All my rules show let out anything from firewall host itself

« on: February 01, 2024, 12:58:04 am »

You allow access to this AdGuard, but are your clients actually using it? Or your opnsense (unbound? via DHCP)?

As your last rule allows ANYTHING in theory any GUEST client could use whichever DNS (port 53, 853 or HTTPS) it wants.

Yes, I can see my client using it as I disabled the option to override the DHCP options.

7

Tutorials and FAQs / Re: All my rules show let out anything from firewall host itself

« on: January 29, 2024, 02:50:47 pm »

Please show "the Log"... ;-)

Thank you for your answer. This is part of my log showing a rule I created to allow Guests VLAN to reach the LAN Ad-Guard DNS Server (I am not logging this rule) ... Is it why I see the "let out anything from firewall host itself".

If I deactivate the "Log packets matched from the default pass rules put in the ruleset", I do not see all these logs.

I am just trying to see if I misconfigured my firewall or if this is normal behaviour.

Thanks!

8

Tutorials and FAQs / All my rules show let out anything from firewall host itself

« on: January 29, 2024, 02:56:20 am »

Hello Community,

I am new to Opnsense, coming from Check Point, Untangle, pfSense ... and I am trying to understand what is happening with the Rules.

I have several Networks (and VLANS). Basic example:

Ad-Guard DNS Server on LAN available for ALL Networks

I created a rule under each Network allowing IN -> to the Ad-Guard Server. Everything works fine but the Log shows let out anything from firewall host itself instead.

Question is, since I am not logging this rule, is it normal to see this entry in the log?

9

General Discussion / let out anything from firewall host itself

« on: May 25, 2023, 03:44:39 pm »

Hello,

Newbie with opnsense coming from Check Point, Untangle and pfsense so a bit of experience with Firewall. I am setting up my New OPNSense and found something odd happening .. I was hoping to shed some light with your help. Here is the scenario:

LAN and IOTVLAN on the same interface;
Internal DNS Servers on LAN;
Rule Created to Allow IOTVLAN to Reach DNS Servers;
Rule Description - Allow IoT Internal DNS Requests.

Now, without the rule, requests are blocked as expected in the log but when the rule is created and enabled, Logs shows the request on LAN not IoTVLAN and instead and the description shows coming from "let out anything from firewall host itself" which is an implicit rule and not my rule on the IOTVLAN...? When I try deactivating my Rule, the Log shows the requests being blocked again which tells me that MY Rule is the one filtering the request and not the Implicit one... Same thing happens for an ICMP rule on a different VLAN.........

Any idea what's causing this?

Thanks!!