Messages

Alright, I think this is solved since what I was attempting technically works now. That said, I've noticed/learned a few things and am curious...

With the proxy ACLs in place, it would appear I don't even need the original firewall rule allowing access to the service domains. I only need the rule allowing access to the proxy and then NPM takes care of the rest. Is this technically the "correct" way of going about it anyway? Or have I stumbled into the "wrong" way of getting it to work? I ask because even though I'm operating all of this in my home primarily as a way to learn deeper networking topics, I enjoy doing things cleanly and following "best practices".

I have been considering switching over to Traefik as my proxy so I can play around/learn with it and things like Authentik and Crowdsec as middlewares. The Traefik docs mention adding IP access lists to the labels to restrict access like I'm now doing in NPM. Again, I'm assuming that would be the correct way of going about it? I'm trying to mentally square the extent of the firewall's job and the jobs of things like Traefik and Authentik so far as service access and authentication goes. I am starting to suspect I need to alter my thinking from "access control is solely the job of the firewall" to "the firewall is a part of a larger access/security stack with many parts".

Thank you, Seimus.

I created a rule to allow my two host aliases to reach NPM. I am able to resolve those domains while on the Main network. However, it looks like I now need to set up some ACLs within NPM to restrict access to only those services on that side as well. I will have a go at that and if I can figure that out and get it working, I'll mark this as solved.

Hi all,

I'm having a bit of an issue with a rule allowing certain devices on my main network to access select services on my server network. I have the basic "Allow internet/block private networks" and "Allow DNS" rules on each interface. I am attempting to add this new rule to allow devices on the Main interface (VLAN20) to access the services (Jellyfin, Immich, and Home Assistant) hosted on servers in Lab net (VLAN10). With the rule enabled and with my phone connected to the Main net, I cannot access the above services.

I have set up three aliases; one containing the IPs of my two Rokus for Jellyfin access, another containing the MAC addresses of our phones and laptops, and the third which has the URLs of the three services mentioned above. Admittedly I could probably combine the first two but for now let's just roll with it.

In the "Lab_Services" alias, I am using the FQDNs for each service instead of their IP/ports. I am running all services through Nginx Proxy Manager which is also hosted on a server on the Lab net. Here is what everything looks like:

You cannot view this attachment.You cannot view this attachment.

My suspicion lies with the reverse proxy since the services alias is using FQDNs instead of IPs. Am I on to something there? Do I need to allow Main net access to the proxy as well so those addresses can be properly routed? Any pointers would be greatly appreciated!

Hey thank you for the reply and apologies for the delay in my response. I have now gotten this figured out. I have had the hardest time shifting my mindset from audio signal flow (after 15 years as a career) to network traffic flow. My biggest issue was looking at things from the perspective of the firewall as opposed to from the perspective of the interface I was working with. All is working as intended now!

Hi everyone! I was hoping you may be able to point me in the right direction on this small obstacle I've been hitting.I am not at all ruling out gross ignorance here so please accept my apologies in advance.

I am attempting to have two physically separate networks both going through my OPNsense box. One is my main home network with several VLANS (Lab,  Main, Guest, etc) all trunked to my main switch on a 10Gbe NIC, ix0. The second is plugged into a 4 port NIC on em2 (em1 is WAN) and is intended to be an internet access only mini-LAN for all work-owned devices to connect to. This hardware is nothing more than a 5 port unmanaged switch connected to an older Linksys router set to Bridge Mode with a static IP and its own SSID.

Other than the auto-generated rules, the only rule I have on the "Work" interface is to allow internet. At first I thought the segmentation was working but I have discovered that is not actually the case. I tried setting a rule on the Work interface to block all outbound traffic from Work net to all other interfaces in my trusted network. However, using my work laptop connected hardwire and WiFi, I am still able to access all of my resources running on my Lab VLAN on the trusted network.

I also tried setting a rule on the Lab interface to block all incoming traffic from Work net but that also didn't seem to work.

It doesn't seem to matter whether I'm using the IP of the service or the local FQDN I have set up through Nginx Reverse Proxy Manager.

I feel like one of these rules should work but, again, I could just be incredibly ignorant.

Any ideas of what I'm doing wrong? I appreciate any direction you may be able to provide.