Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - gareththered

Pages1
#1
24.1, 24.4 Legacy Series / [solved]: Floating Rule Interface Invert
April 24, 2024, 10:36:58 AM
I've just figured this out, thanks to a post by @davidsenk, which pointed me to https://forum.opnsense.org/index.php?topic=15900 which discusses reply-to within rules.

In OpnSense's GUI I edited the rule and expanded the Advanced Features section. Within this section is the reply-to menu, which I set to disable.

After saving the rule and reloading the firewall, everything seems to be working.
#2
24.1, 24.4 Legacy Series / Floating Rule Interface Invert
April 23, 2024, 10:49:59 PM
I'm trying to allow DNS queries to my router, but not from the WAN interface.

To do this I've created a floating rule which allows TCP & UDP port 53 in.  However, this also allows it on the WAN interface, which I don't want.

I therefore added the WAN interface to the rule's 'Interface' field and selected 'Invert'.  This blocked DNS on all interfaces, not just the WAN.

While I've worked around this by reverting to all interfaces and setting the 'Source' to an alias consisting of local networks, I'd like to know why this doesn't work by inverting the interface.

Below is an extract from rules.debug which I've grepped on the interface (re0) and edited to remove the NAT entries:
Code Select

# block in log quick on re0 inet from {<bogons>} to {any} label "a785cde4d07ef9d5492b2752d6f3674c" # Block bogon IPv4 networks from ONT
# block in log quick on re0 inet6 from {<bogonsv6>} to {any} label "1abb3c3b8584670c042452464f78d963" # Block bogon IPv6 networks from ONT
# block in log quick on re0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from ONT
# block in log quick on re0 inet6 from {fc00::/7} to {any} label "fb42f48e27b4fd4647cd998434aea4d7" # Block private networks from ONT
pass out route-to ( re0 <next hop>) from {(re0)} to {!(re0:network)} keep state allow-opts label "f6dc4c3fe096989ac6d4a2c85cd16c64" # let out anything from firewall host itself (force gw)
pass in quick on  ! re0 reply-to ( re0 <next hop> ) inet proto {tcp udp} from {any} to {(self)} port {53} keep state label "f7314d8b59355b1c287b12cb88a291bd" # Allow incoming local DNS queries


As you can see, there are no block rules before it hits my DNS rule (the last one listed above).  Does anyone have any ideas why this fails?

Thanks.
#3
24.1, 24.4 Legacy Series / IP address of interfaces using DHCP aren't listed in DNS
April 15, 2024, 09:08:50 AM
I have multiple VLAN interfaces on my new OpnSense install.

I have noticed that those which are configured to issue addresses using DHCP (ISC DHCP v4 - not tried anything else) don't show up when I run `dig` or `drill` to ask the router to resolve it's own FQDN (as set up in System > Settings > General).  Only the interfaces which don't use DHCP are listed.

Code Select
gareth@admin:~$ dig gw1.example.org

; <<>> DiG 9.18.24-1-Debian <<>> gw1.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gw1.example.org. IN A

;; ANSWER SECTION:
gw1.example.org. 3600 IN A 172.29.11.1
gw1.example.org. 3600 IN A 172.29.5.1
gw1.example.org. 3600 IN A 172.29.10.1
gw1.example.org. 3600 IN A 172.29.7.1
gw1.example.org. 3600 IN A 172.29.15.1
gw1.example.org. 3600 IN A 172.29.4.1
gw1.example.org. 3600 IN A 172.29.1.1
gw1.example.org. 3600 IN A 192.168.10.197

;; Query time: 0 msec
;; SERVER: 172.29.1.1#53(172.29.1.1) (UDP)
;; WHEN: Mon Apr 15 07:31:30 BST 2024
;; MSG SIZE  rcvd: 185

Notice that 172.29.4.1 and 172.29.5.1 are listed.  After configuring those interfaces to use DHCP, I get:

Code Select
gareth@admin:~$ dig gw1.example.org

; <<>> DiG 9.18.24-1-Debian <<>> gw1.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50886
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gw1.example.org. IN A

;; ANSWER SECTION:
gw1.example.org. 3600 IN A 172.29.10.1
gw1.example.org. 3600 IN A 172.29.7.1
gw1.example.org. 3600 IN A 172.29.15.1
gw1.example.org. 3600 IN A 172.29.1.1
gw1.example.org. 3600 IN A 192.168.10.197
gw1.example.org. 3600 IN A 172.29.11.1

;; Query time: 0 msec
;; SERVER: 172.29.1.1#53(172.29.1.1) (UDP)
;; WHEN: Mon Apr 15 08:00:40 BST 2024
;; MSG SIZE  rcvd: 153

Notice that 172.29.4.1 and 172.29.5.1 are now missing.

Is there a valid reason for this?  Is it a setting which I've missed?  Or is it a bug?
Pages1