Messages

I just want to follow this in case someone gets it working.

Hi there,

I would like to create a rule that detects if an ip attempts to make a connection to the firewall on a certain port, and add that IP into a block rule. Is this possible to do? Eg: Ip 1.1.1.1 connect to firewall on port 4000. Firewall sees this in logs and adds it into a block rule that denys any traffic for 1.1.1.1 which also now prevents that IP from connecting to any nat rules that are open for other services on the network.

Kind regards
P

Try this?
https://forum.opnsense.org/index.php?topic=9245.0

I had to use pc-i440fx-4.2 and seabios on unraid for my opnsense vm. Did you try that? ALso I installed using legacy boot.

I use i440fx and virtio with seabios because it works the best for me after testing all the different combinations, and uses the least cpu. I think trying to use q35 would be really hard.

Thanks for the tips, but I'm using an Intel NIC PCI card where i pass the ports through.

Yup thats the gold standard. For those of us on a tighter budget, bridging is ok for a home setup :)

Good luck with your build - OpnSense is a very nice product :)

What machine type and nic driver type are you passing to the vm from KVM?

Im no expert but from the screenshot memory ballooning might be being used? If that is the case then this behaviour is expected. I use OpnSense on unraid and the same thing happens for me. Also as an aside just as another tip, for me to get best performance I had to use machine type i440fx (im using version 4.2) and Seabios so that I could pass the virtio network drivers. These nics provide the best performance in a VM, unless of course you are using pci passthrough on the nics which would be fine also.

Pete

Hi P,

You can use a full regex search: :53[^0-9]

The page will be improved eventually and the searching made easier. I think there's already a ticket for it.


Cheers,
Franco

Hello Franco,

Thank you, this information is excellent. I was able to get close enough to what I needed with a simple :53[^5353] so thank you for this tip. Even that alone filters out enough to make the log more manageable.
In addition I have managed to switch over completely from PFsense with all the help from the forums so while there is a learning curve in changing over, and some differences its certainly manageable for anyone if even I can do it.

Thanks again,
P

Hi,

I am trying to filter a specific port in live log view. I filter on this string -

:53

This shows me what I am looking for (port 53) but in addition ports that contain this string eg: :5353 also matches. Also the time in seconds at :53 also matches.

How can I modify my string to only search port 53?

Many thanks,
P

Thank you, by testing further and with your advice I have understood what to do and the situation is now resolved :)

If you want see the traffic from the local IP you need to capture on LAN interface.

Thank you, how can I do this and add relevant rules?

Hi there,

I have downloaded a fresh install of OPNSense on a VM with virtual adapters, and only setup pppoe on the WAN interface and configured the LAN interface IP. No other changes have been made so it is very default (besides setting a password etc for login).

I would like to be able to block certain ports for certain LAN clients. EG: Block port 443 for all LAN clients except a few to a certain IP.

Before doing this I check live logging to see if I can find the internal IP's of clients I am testing with in the logs accessing 443. However all clients in the firewall log show as the WAN address when captured. EG:


Interface       Time    Source    Destination    Proto    Label    
   wan      Jan 31 14:59:36   142.113.216.163:58231   67.212.168.66:443   tcp   let out anything from firewall host itself (force gw)   

So source address is always 142.113.216.163 (my WAN IP) and destination and port is listed as correct (67.212.168.66:443).

This is unexpected. My expectation was something like source = 192.168.2.113:58231 (an internal IP). This would allow me to create a rule in the LAN side of the firewall restricting port 443 from a range of internal IP's to this destination. In this setup however, I can only blanket ban everything to that destination.

I have tested this with a LAN rule (does nothing) and then a WAN block rule that blocks successfully everything to a destination, or everything on a certain port I specify, but this limits me opening it up to certain internal LAN clients.

Is this behaviour expected, and if so what can I do to work around this behaviour?

P

Did you already check the machine you are forwarding ports to does not have a local firewall (eg windows would have a windows firewall) that needs them opened on?

Interesting. Good find man :)