Filter Rules by controlling output interface

Lejaune · March 31, 2019, 10:40:46 AM

Hi all,

Im searching for a solution on OpnSense to filter traffic by controlling the physical output interface.

My platform for test :

I want from my LAN_1 ping ANY on the WAN but i don't want to ping the LAN_2.

I can do this with 2 rules on OpnSense :

Drop ICMP from LAN_1 to LAN_2
Authorize ICMP from LAN_1 to ANY

But i''m searching for a solution with only 1 rule. For example, if i use Debian with forwarding, i can use iptables to do this with only one rule :

iptables -A FORWARD -p ICMP -i ens34 -o ens32 -s 192.168.10.0/24 -j ACCEPT

With this rule, i can control the physical outside interface where the traffic is redirect (in orange the option).

Thank you
Lejaune

franco · March 31, 2019, 12:43:57 PM

I'm almost sure it's not possible to check both incoming and outgoing interface to make a rule-based decision.

There is tagging support and you can filter in and out in two rules, but I think you need "match" feature for this which doesn't exist in FreeBSD pf(4).

Cheers,
Franco

mitsos · March 31, 2019, 11:40:44 PM

Rule on LAN1: Source LAN1 subnet
Destination: tick (=not) + the LAN2 subnet

That means ICMP packets destined for anything other than LAN2 get accepted. Adjust to the protocols/ports you want to filter.

franco · April 01, 2019, 09:03:54 AM

True, you can filter by subnets, but it's not a 100% substitute for filtering incoming and outgoing devices. At least the expectations need to be managed. :)

Cheers,
Franco

Lejaune · April 05, 2019, 04:15:51 PM

Thanks for the answer ! ;D

Filter Rules by controlling output interface

Lejaune

March 31, 2019, 10:40:46 AM

franco

March 31, 2019, 12:43:57 PM #1

mitsos

March 31, 2019, 11:40:44 PM #2

franco

April 01, 2019, 09:03:54 AM #3

Lejaune

April 05, 2019, 04:15:51 PM #4