OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of spartanunitato »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - spartanunitato

Pages: [1]
1
24.1 Legacy Series / Re: Firewall Rules Help
« on: May 19, 2024, 03:58:13 pm »
Quote from: sja1440 on May 19, 2024, 03:37:22 pm
By changing "invert LAN" to "any" you move from only blocking connections to outside your LAN to blocking everthing including to your DNS,  NTP etc. services on OPNsense. Not having DNS is certainly going to prevent access to the internet (unless the destinations are hardwired in the IoT devices)

BTW Do your IoT devices use a hub/gateway lying within your LAN? If so, is that MAC contained in the IoT Alias? Does communication to the internet always go through that?

Regarding the need to clear firewall states after a reboot. Maybe this relates to the nature of OPNsense's MAC Aliases: OPNsense obtains the ipv4/ipv6 addresses by periodically (?) checking the arp and ndp tables. Possibly,  your IoT devices are establishing a connection to the internet before the MAC Alias is populated.  In this case the firewall No 1 rule will never fire. Resetting firewall states is not going to clear out the MAC alias, this would explain why a reset after a reboot fixes the problem..

Have you thought about putting the IoT devices on a separate vlan? Would make it a lot easier.

Ahh I see... thank you for the detailed explanation. My IoT devices connect straight to the internet without a hub, I use them locally with Home Assistant. Moving them to their own VLAN will be the end goal, but right now I use an Asus router as my AP, and that doesn't support VLANs. Once it breaks I will look to switch to Unifi or other products supporting VLAN. Thank you for the help!

2
24.1 Legacy Series / Re: Firewall Rules Help
« on: May 19, 2024, 02:51:39 pm »
I managed to resolve the issue by removing rule 2, and changing the destination for rule 1 from invert LAN net to any. However there is a weird issue, whenever I reboot the router, I need to reset state tables for the firewall rules to work properly. What could be a possible issue? The quick flag is set, and my alias is populated.

3
24.1 Legacy Series / Firewall Rules Help
« on: May 19, 2024, 05:59:32 am »
I have a couple of IoT devices that I want to block incoming and outgoing WAN access, I am using an alias with MAC addresses because I want to block both ipv4 and ipv6 access.
My rules are setup in this way, but they are not working to block internet access, what is going wrong?

Rule 1:
Action: Block
Interface: LAN
Direction: in
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: IoT (alias)
Destination: Invert LAN net

Rule 2:
Action: Block
Interface: LAN
Direction: in
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: Invert LAN net
Destination: IoT (alias)

I have also moved both rules to the top, but my devices are still getting internet access. What should I change?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2