Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Source & destination network options of firewall rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: Source & destination network options of firewall rules (Read 10236 times)
alexroz
Newbie
Posts: 43
Karma: 0
Source & destination network options of firewall rules
«
on:
August 25, 2020, 08:34:47 pm »
There are some network options available as a source or a destination while creating firewall rules:
Networks
any
This Firewall
LANx
address
LANx
net
Loopback net
Thous terms may sound obvious for some people, but I am struggling to grasp their true meaning.
For example LANx
address
and LANx
net
networks sounds the same for me.
Can anyone point me to some documentation clearly explaining these options?
«
Last Edit: August 25, 2020, 08:38:01 pm by alexroz
»
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #1 on:
August 26, 2020, 05:10:21 am »
I'll try
any - Any address, used in the context of a source address for rule, for example, you run a webserver, any address could be the source of the connection to your webserver. Used in the context of a destination, i.e. a LAN rule would allow any to any would allow a lan client to connect to any address.
This Firewall - An address that is specific to your firewall, the WAN, LAN, loopback ( 127.0.0.1 )
LANx address - a single address e.g. 192.168.1.1 on your LAN
LANx net - the entire subnet e.g. 192.168.1.0/24 or all of the addresses on the LAN segment in question
Loopback net - 127.0.0.0/8 or all loopback addresses
«
Last Edit: August 26, 2020, 05:13:22 am by marjohn56
»
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
alexroz
Newbie
Posts: 43
Karma: 0
Re: Source & destination network options of firewall rules
«
Reply #2 on:
August 26, 2020, 05:07:48 pm »
Quote from: marjohn56 on August 26, 2020, 05:10:21 am
LANx address - a single address e.g. 192.168.1.1 on your LAN
Thank you marjohn56
But I still doesn't get the
LANx address
part...
LANx address isn't any particular IP address. Right?
If it is a set of all available addresses on a given net - how does it differ from
LANx net
, as long as a net includes all its addresses?
I understend that a
net
& a
address
can't be the same even based on following example
https://docs.opnsense.org/manual/how-tos/guestnet.html#block-local-networks
But how do they differ?
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #3 on:
August 26, 2020, 05:45:00 pm »
LAN = Local Area Network. You can have more than one. Here's part of my drop down list.
As you see I have multiple 'LANs', so therefore multiple LAN addresses and LAN nets.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #4 on:
August 26, 2020, 05:47:08 pm »
A LAN address is a single address i.e. 192.168.1.100 - LAN Net means all the addresses in that LAN segment, from 192.168.1.0 to 192.168.1.255.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #5 on:
August 26, 2020, 05:54:52 pm »
Perhaps a practical example will help, I have 3 VLANs and a management LAN, all of them are LANs. Now, one of my VLANs is called IOT, that has all the things like webcams, doorbells, Amazon echo units etc etc. The main VLAN is QPVLAN, I don't want everything on the IOT LAN able to get to the QPVLAN, so I have a block rule that uses IOTVLAN net, i.e. anything in that VLAN is blocked from my QPVLAN; but, there is one device in there that I do want to allow access, so there is another rule, above the block rule which allows a single address on the IOTVLAN access to the QPVLAN, so the rule uses IOTVLAN address, and I enter the address of the device that is allowed. Inversely, anything on the QPVLAN, so I use QPVLAN net
can
access anything on the IOTVLAN.
If we did not have the ability to use LANx NET, and I wanted to block all of the devices on that LANx, I would have to enter 256 rules, one for each address!
Now does it make sense?
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
alexroz
Newbie
Posts: 43
Karma: 0
Re: Source & destination network options of firewall rules
«
Reply #6 on:
August 26, 2020, 06:26:59 pm »
Can you explain how does this rule work?
Pay attention to the destination....
(Source:
https://docs.opnsense.org/manual/how-tos/guestnet.html#block-local-networks
)
«
Last Edit: August 26, 2020, 08:04:06 pm by alexroz
»
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #7 on:
August 26, 2020, 08:49:37 pm »
This is for a captive portal setup. Where it refers to the GUESTNET address, that is the address of the Opensense GUESTNET interface. I think I can see where that's confused you, and it's probably my fault. I was referring to a LAN address not the actual Opnsense LANx address. So for example if the address you had set on the Opensense LANx address was 192.168.1.1, it would be that address.
Sorry for the confusion, I hope that clears it up for you.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
alexroz
Newbie
Posts: 43
Karma: 0
Re: Source & destination network options of firewall rules
«
Reply #8 on:
August 26, 2020, 10:57:28 pm »
OK I fill like I finally got it.
According to pfSense related sources:
LAN address
: LAN interface IP address of corresponding firewall interface (e.g 192.168.1.1)
LAN net
: LAN network and other static routes configured on that interface (range of all available addresses for e.g 192.168.1.0/24)
These make your life easier because, if an address/network changes, you won’t have to alter the rule as the rule will be automatically updated to match the new address(es).
Sources:
https://resources.intenseschool.com/pfsense-series-firewall-rules/
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html#firewall-rule-basics
https://www.reddit.com/r/PFSENSE/comments/6vyqw3/what_is_the_difference_between_the_interface_net/
«
Last Edit: August 26, 2020, 11:02:31 pm by alexroz
»
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Source & destination network options of firewall rules
«
Reply #9 on:
August 26, 2020, 11:21:12 pm »
Good... Those explain it better than I did.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Source & destination network options of firewall rules