Show Posts
1
General Discussion / Opnsense auto generated rules prevent blocking
« on: June 04, 2024, 10:17:40 am »
Hi, all.
I am trying to block a set of devices from reaching any address except a particular lan address and port. Here is my setup:
I have open sense connected to my ONT. On the lan port, I have a wireless router and other wireless mesh devices. I am using the router as a wireless AP and using open sense dhcpv4 server.
On my firewall, I have aliased devices I want to prevent from reaching the Internet with a rule in floating rules:
Rule 1
Dir: out
Interface: lan
Source: myAlias
Dest: mySpecific Lan Address and port on lan with cidr 32
Allow
Rule 2
Dir: out
iFace: lan
Src: myAlias
Dest: any
Block
Apply all rules
I would think this should be enough, but those devices can both ping, traceroute via open sense, and browse the internet. I have tried to restart fp and restart fw server. The traffic seems to go through an auto generated rule for "let out anything from firewall host itself. I can use DNS to block address translation, but that defeats the purpose of a firewall.
I have looked at firewall sessions to find the rule that is allowing traffic out. I can't disable this rule with the UI and it seems if this is really a default rule, it is a bad rule or something is not right with my setup. I have a bunch iot devices and many other android devices from China that I don't want to reach the internet at all. They are only allowed to connect to an internal server UI or specific port, like rtsp, and I want to block all outgoing and incoming traffic. All the devices have static ipv4 addresses and are included in the alias. This was a similar setup to pfsense, where rules worked, but it seems opnsense is just not blocking anything at all via firewall.
I'll be happy to provide more info without external ips or other info that would compromise security.
I am a technical user in a related field with experience in bsd, Linux, and lots of related stuff. I know it is possible to remove the auto rules, but this whole thing seems wrong, so I'm questioning my own setup. I'm coming from pfsense and wanted to use opnsense for sensie, suricata, etc. what is wrong here?
I am trying to block a set of devices from reaching any address except a particular lan address and port. Here is my setup:
I have open sense connected to my ONT. On the lan port, I have a wireless router and other wireless mesh devices. I am using the router as a wireless AP and using open sense dhcpv4 server.
On my firewall, I have aliased devices I want to prevent from reaching the Internet with a rule in floating rules:
Rule 1
Dir: out
Interface: lan
Source: myAlias
Dest: mySpecific Lan Address and port on lan with cidr 32
Allow
Rule 2
Dir: out
iFace: lan
Src: myAlias
Dest: any
Block
Apply all rules
I would think this should be enough, but those devices can both ping, traceroute via open sense, and browse the internet. I have tried to restart fp and restart fw server. The traffic seems to go through an auto generated rule for "let out anything from firewall host itself. I can use DNS to block address translation, but that defeats the purpose of a firewall.
I have looked at firewall sessions to find the rule that is allowing traffic out. I can't disable this rule with the UI and it seems if this is really a default rule, it is a bad rule or something is not right with my setup. I have a bunch iot devices and many other android devices from China that I don't want to reach the internet at all. They are only allowed to connect to an internal server UI or specific port, like rtsp, and I want to block all outgoing and incoming traffic. All the devices have static ipv4 addresses and are included in the alias. This was a similar setup to pfsense, where rules worked, but it seems opnsense is just not blocking anything at all via firewall.
I'll be happy to provide more info without external ips or other info that would compromise security.
I am a technical user in a related field with experience in bsd, Linux, and lots of related stuff. I know it is possible to remove the auto rules, but this whole thing seems wrong, so I'm questioning my own setup. I'm coming from pfsense and wanted to use opnsense for sensie, suricata, etc. what is wrong here?