Messages

226

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: December 01, 2020, 07:38:35 am »

Okay - when I draw this on paper yesterday evening I think I know why we "talk different languages" so to speak. I see this at "hardware"-level, and I think OPNsense developers sees this more like "software"-level. Why? Well you request, most likely correct, IPs and direction. I like to see this as hardware interface level, and of course direction. I think this could explain why I would very much like to have back the firewall rules that seems to have worked on 20.1 - and now no rules at all works on WAN-kind of interfaces (all rules at always interpreted as blocking rules, no matter what).

Anyway here is a very simple drawing. Do note that I am att interface level, and ports mentioned are the only one allowed out from each area so to speak.

227

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 30, 2020, 06:55:17 pm »

Sorry, yes still trying to find enough time to draw that drawing I have in my head, on the right computer on top of all. This seems to be an issue for me, always working from home, but on the wrong computer....

228

Documentation and Translation / Re: What IP is "This Firewall" and so on - anyone care to expand on how this?

« on: November 30, 2020, 06:27:00 pm »

Your "LAN net" must be 192.168.1.0/24 actually...

Yes, of course, .1 to .254. However my DHCP settings for LAN is .10 to .100 in range.

229

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 30, 2020, 04:58:37 pm »

Well I have such a case - now there are more ways to handle what I now describe, so....

I use a software, LMS - Logitech Media Server, and for some (very uggly) reason it like so send stuff on port 9000. Like broadcast style. A very easy way to solve this is to simply block port 9000 on the (ex. LAN) interface that the LMS server is connected to. And it will for sure do the trick. I hope since I have actually never tried that on OPNSense...

Now this is how I have it on my ASUS router (it has a LAN-to-WAN netfilter GUI part, where one can choose blacklist or whitelist any TCP/UDP traffic (and ICMP)): I only run whitelist, port 80/443 and that is it. This works, since well it is like in OPNsense, you have no control of the WAN interface. So since the ASUS router handles all DNS requests on port 53 (or 853) - well I do not need to handle that since that is after LAN-to-WAN firewall so to speak. The same way it goes in OPNsense.

And this is where I am trying to improve. I would like to have that extra control of what actually leaves the WAN port(s), dead 100% control. Not only LAN (WORK, or what ever) rules but that extra last line of "defense".

And as I wrote I did have this up and running in 20.1 since I have screendumps on all my old 20.1 firewall rules, and Multi-WAN btw (what did not work on Multi-WAN in that hardware was gateway switch - it only worked from WAN-FTTH most likely since I used wrong gateway in my rules - yes my mistake). And I could use my work-PC for sure thru that OPNsense firewall. The same rules on 20.7 = internet blocked.

Now if my interpretation is correct, this is simply not possible (anymore?). We all assume that OPNsense is 100% safe att all time. Right? Since OPNsense always has 100% possibility to do what ever it likes - it is the firewall after all?

Don't get med wrong here, OPNsense is superb - it is just that last line of defense that used to work that now simply put does not work.

230

Documentation and Translation / Re: What IP is "This Firewall" and so on - anyone care to expand on how this?

« on: November 30, 2020, 04:36:27 pm »

Large Thanks!

Much better now. Still a lot to learn, as always, however this made it much easier!

231

Documentation and Translation / Re: What IP is "This Firewall" and so on - anyone care to expand on how this?

« on: November 30, 2020, 03:22:17 pm »

"This Firewall" is an Alias for ALL IPs of the OPNsense on all available interfaces.

So just to be over specific here, "This Firewall" is, in my case, not only 192.168.1.1 (LAN) and 192.168.2.1 (WORK) but also my two WAN interfaces and the DHCP "generated" IP addresses?

232

Documentation and Translation / What IP is "This Firewall" and so on - anyone care to expand on how this?

« on: November 30, 2020, 08:13:42 am »

When I add a new firewall rule, I get the choice of a few pre defined variables which i have never found the correct definition for. In my case, for the moment I might add, I am using 4 (out of 8 ) ports (interfaces) on my OPNsense firewall hardware:
LAN - 192.168.1.1
WAN_FTTH - DHCP ISP
WAN_LTE - DHCP ISP
WORK - 192.168.2.1

As one might assume I have Multi WAN setup, with failover from WAN_FTTH to WAN_LTE when the fiber fails (I did not expect this to happen, but so it has twice for the last 12 monts....).

So I have a rule on LAN and WORK to redirect DNS (port 53) to local DNS. Now this is where I started to (over-) think this. What am I to enter into the Destination field? First thought was "This firewall" and well it does work. On both LAN and WORK, then for some reason I started to think (again) and changed it to the IP for the interface. LAN = 192.168.1.1 and WORK = 192.168.2.1. LAN worked after this, WORK did not. So WORK I changed back to "This Firewall" and now it works again....

So, again, I started to think (yes I know, it will always create challenges...) what does the pre defined Networks stand for and represent? So a primer for the following would be awesome:

"This Firewall" - is what? 192.168.1.1?
"LAN net" - is anything active on LAN interface, and if it is DHCP active (as it is in my case) somewhere 192.168.1.10-100?
"LAN address" - is 192.168.1.1?
"Loopback net" - is 127.0.0.1? or?

233

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 30, 2020, 07:37:06 am »

Btw I am not sure, but it feels like there is something not working on filtering on WAN interface. Since I had the problem with ICMP above, I decided to test the "rest". So I constructed a rule that allowed HTTP. Only one rule, and that was HTTP out pass. Nothing really happened. So I decided to add a rule for HTTPS out pass = internet dead - now again, I added an allow rule (pass) and I got a block rule.... Disabled that HTTPS rule = internet online again.

So from the looks of it, adding a rule, pass or block, will ALWAYS result in a BLOCK rule no matter what?!

I am pretty sure this worked in 20.1 - but it does not work in 20.7 - so something has changed?

234

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 30, 2020, 07:28:40 am »

I think I can do better, I will (try to) draw a sketch that describes how I imagine my installation of a firewall.  Just need a few moments.....

235

General Discussion / Re: Is Multi-WAN + Whitelist firewall + DNS-over-TLS possible?

« on: November 29, 2020, 08:04:19 pm »

I will answer this myself: NO - it is not.

OPNsense does not allow or work with any kind of filtering on the WAN interface. Adding rules, even simple things like allow HTTP, HTTPS, NTP, SMTP/S allow outbound - this will kill the internet connection, and I have not even added any blocking rules - just 4 simple allow outbound rules, and from that moment I loose internet connection.

Not sure that is how I would design a firewall, however this is how 20.7.5 works.

236

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 29, 2020, 06:22:53 pm »

Right, so I can ONLY control what is send/received on for example the LAN interface - but I have no way of controlling what goes thru the WAN interface? Have I got this correct?

237

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 29, 2020, 02:31:55 pm »

Okay. I understand. I think. Might need a night to sleep on it...

How should I then do whitelist everything that is allowed to exit from OPNsense? it sounds like that is impossible?

On 20.1 I got this working the same way I am trying now. Has something changed to 20.7?

238

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 29, 2020, 01:12:07 pm »

Okay, can not work around this challenge...

All below is tested on my backup WAN interface, the WAN_LTE interface. Also, for all testing below there are NO block rules enabled! The ONLY rules I am testing is "allow out" kind of rules to try figuring this out...

If I add a rule that allows ICMP <any> out - dpinger will stop working.
If I add a rule that allow <any> protocol <any> everything out - dpinger will stop working.
Add a rule that allows HTTP / HTTPS / NTP / DNS / port 853 (DNS-over-TLS) out - dpinger works perfect.

So adding a ICMP or allow anything out rule stops dpinger. I can not do this wrong, there got to be something else involved here that I simply put don't understand. Adding a allow all everything out rule should not stop dpinger from working. And dpinger, since it is internal, is not supposed to be stooped anyway or?

239

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

« on: November 29, 2020, 12:23:40 pm »

For the fun of it I decided to put my new OPNsense (WAN_FTTH) router inside the ASUS firewall, and allowed all ports open in/out on the IP that the OPNsense firewall got. This shut down dpinger of course, and I lost WAN_FTTH interface = status offline. I then added ICMP packet typ 0 and 8 (which is Echo Reply and Echo) - and the result is that my WAN_FTTH interface got status = online.

So dpinger needs Echo (=ICMP packet type and Echo Reply (=ICMP packet type 0) to work. I now know what to filter for in OPNsense - I thought...

...so I am still working on what I do wrong here...

240

20.7 Legacy Series / Re: Multi WAN (was DoT in combo) - 192.168.1.1 or 127.0.0.1?

« on: November 29, 2020, 11:10:55 am »

I was not at my PC at my previous response, here is two screenshots on DNS and NTP rules detail.