Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
[solved] Confused with default ruleset
« previous
next »
Print
Pages: [
1
]
Author
Topic: [solved] Confused with default ruleset (Read 7560 times)
abstan
Newbie
Posts: 3
Karma: 0
[solved] Confused with default ruleset
«
on:
January 03, 2020, 01:38:34 pm »
Hi, I am just getting started with OPNSense 19.7.8 with a very basic setup: ISP box <WAN> OPNSense <LAN> PC.
If I create "Allow all in IPV4"+"Allow all out IPV4" rules on both LAN and WAN interfaces, PC can't get past OPNSense (can't ping ISP box for instance). I can't see any deny in the logs.
When I look at the auto generated floating rules, I see two rules called "block all targetting port 0", but both have "port *" for source and destination. So it seems logical these rules drop all traffic, looks like a bug ? Or is it just badly worded / bad display ?
Now if I create a floating rule "Pass all IPV4 in any direction", PC has full connectivity (can access ISP box / internet / DNS works). But this is not what I want obviously, and I don't even understand how this workaround works since this rule comes after the auto-generated ones. So if the "block all targetting port 0" rules were the issue, this workaround should not work ?
Any hint ?
«
Last Edit: January 03, 2020, 07:50:05 pm by abstan
»
Logged
chemlud
Hero Member
Posts: 2487
Karma: 112
Re: Confused with default ruleset
«
Reply #1 on:
January 03, 2020, 05:57:09 pm »
No idea what this "port 0" floating rule does, but same here and no problem with traffic (IPv4) going back and forth... :-)
Do you have a private IP on WAN and forgot to diasable "block private" on the interface, maybe?
«
Last Edit: January 03, 2020, 05:58:57 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
abstan
Newbie
Posts: 3
Karma: 0
Re: Confused with default ruleset
«
Reply #2 on:
January 03, 2020, 07:14:49 pm »
I do have a private IP on WAN (in the ISP box subnet), and "Block private networks" + "Block bogus networks" are unchecked on LAN and WAN interfaces.
On LAN I have "auto detect" as the IPv4 Upstream Gateway, and on WAN the ISP box private IP.
I suspect outbound NAT is not working correctly since I don't see blocked packets, but not sure what to do differently. I have the default auto created rule in outbound NAT.
Logged
chemlud
Hero Member
Posts: 2487
Karma: 112
Re: Confused with default ruleset
«
Reply #3 on:
January 03, 2020, 07:24:52 pm »
Although it won't help for the moment: Delete all rules on your WAN interface, they are not needed and highly dangerous.
And while yo are on it: Delete the allow any rule on "floating" also, same mess and not needed.
How about a screen shot for the NAT settings?
Anything else you configured?
I would reset to "start" or do a fresh install, that should work OOTB (after disabeling the "block private" on WAN)...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Darkopnsense
Full Member
Posts: 148
Karma: 6
Re: Confused with default ruleset
«
Reply #4 on:
January 03, 2020, 07:28:04 pm »
Bonjour,
Firewall:rules : wan
ok
Firewall:rules:lan
modifie IPv4 * LAN net * * * * * Default allow LAN to any rule
Firewall:rules:floating
supprime la règle igb1
cordialement
Logged
Depuis 2017
X7SPA-HF, Intel(R) ATOM(TM) D525, 4Go RAM, 120Go, 2 Lan 24.1.2_1
APU4c, 4Go RAM, 120Go, 4 Lan 24.1.10_8
APU3a, 2Go RAM, 60Go, 3 Lan 24.1.2_1
APU2c, 2Go RAM, 60Go, 3 Lan 23.7.1_3
BIOS A JOUR (v4.19.0.1).
abstan
Newbie
Posts: 3
Karma: 0
Re: Confused with default ruleset
«
Reply #5 on:
January 03, 2020, 07:49:32 pm »
Removing the rules on WAN just solved the issue... It now works without the floating rule. I don't understand why adding these PASS rules would restrict more than no rule, but I guess if it works...
Thanks for the help!
Logged
chemlud
Hero Member
Posts: 2487
Karma: 112
Re: Confused with default ruleset
«
Reply #6 on:
January 03, 2020, 08:22:30 pm »
Quote from: Darkopnsense on January 03, 2020, 07:28:04 pm
Bonjour,
Firewall:rules : wan
ok
No. DON'T ALLOW ANYTHING ON WAN (or floating). Except if you really know what you are doing. Or you can hook up your LAN directly to the internet and watch your machines get compromised within minutes with some bad luck (a raspberry pi with default password won't take longer than a few minutes before it's pawned).
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
[solved] Confused with default ruleset