Some basic firewall rules

[opnjester]

Hello,

I've set-up a nice working OPNSense Router with DHCP, DNS, Sensei, IDS, ClamAV, WoL, and 3 Interfaces (WAN, LAN-R, LAN-T)
Those are configured as 2 separate networks LAN-R: 10.0.1.1  and LAN-T 10.0.2.1.
Every network should be able to browse the internet and only some protocols should be open between both networks.

I'm just fighting with the firewall and I don't really understand how to configure. I found some information here, but it never worked for me.
If I enable the standard rule "Default allow LAN to any rule" it works just fine.

So, I disabled it and tried to figure out how to just allow browsing:

DNS is allowed and also working. But what should be the next rule to allow LAN-R to be able to browse the internet?

E.g. I did some testing with a printer webpage. The printer has the IP 10.0.2.30 an the Computer wants to access it from LAN-R. But no chance :/  Also when chosing LAN-R as source.

Thank you very much
Regards

[chemlud]

The traffic is evaluated against the rules on the FIRST interface it hits. If allowed by a rule, a STATE will be created, allowing automagically the REPLY to pass back without needing a specific rule on any interface.

1. Never have any ALLOW rules on WAN (except you know exactly know why you need it).

2. If a client in LAN1 wants to reach a client on LAN2 (let's say: a samba server) you need an ALLOW rule on LAN1 for source (IP of the source client, port: any) to target (IP of client in LAN2, port 445).

[opnjester]

Hello chemlud,

yes, the rules are only created on the LAN interfaces.

so the rule like in the attachment (HTTP Test) should work? Here it's not working.
10.0.1.82 is the IP of my PC in LAN1 and 10.0.2.20 ist the IP of a Printer in LAN2.

I really don't know where my error is.

Regards

[chemlud]

Allow LANnet to "LAN address" port 53 as the first rule. Reboot. Test again and tell us how you try to access port 80 of the printer and what EXACTLY happenz then...

[opnjester]

Hi,

sorry, my fault. Didn't check that the printer did a redirect on port 443. So that's working fine now.

But I still need to find out what should be open in order to be able to access the internet.
So with this default rule:  (IPv4 *   LAN_R net   *   *   *   *   *   Default allow LAN to any rule), it's working.
But I don't want everything to be open to everywhere.
I want to access internet from LAN_R net and block access to LAN_T.

I tried
IPv4 *   LAN_R net   *   WAN address   *   *   *
IPv4 *   LAN_R net   *   WAN net   *   *   *
IPv4 *   LAN_R net   *   This Firewall   *   *   *

But nothing is working.
The rule to access dns is working though.

IPv4 TCP/UDP   LAN_R net   *   This Firewall   53 (DNS)   *   *
So DNS is working, but that's it

Thanks in advance.
Regards

[Gauss23]

I always create an alias with all my local networks. Then I add a firewall rule using this alias as destination and tick destination invert. There is no „Destination WAN“ alias, so this is the nearest I could get. This means that you need to keep this alias updated as soon as a new network is added.