Is Multi-WAN + Whitelist firewall + DNS-over-TLS possible?

Started by lar.hed, November 28, 2020, 07:53:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 28, 2020, 07:53:19 PM
So I have been struggling a bit more than I expected...

Let's start with what was: I used to have a 6-ethernet OPNsense box, and used OPNsense 20.1 - most of what I listed in the subject worked, except failover in multi-wan. I never got to solve that problem, which I think was an firewall problem, since my hardware simply died for me one day.

It took some time to replace that hardware, and now I'm using a Qotom-Q878GE. Way over-powered for my usage but I am a nerd after all, so that is ok 8)

Anyway with 20.7 installed, and trying to rebuild my old OPNsense from scratch, I feel I am struggling more than I like. It is simple things like multi-wan failover that does not work (yes I did the misstake to connect two ethernet cables to the same switch to simulate failover a bit more easily - corrected that with my LTE modem installed), or DNS resolution that simply refuses, or I have to reboot OPNsense for every firewall rule change I make since just applying it will make no difference, and don't even start talking about trying to forward all DNS requests from clients on LAN to Unbound inside OPNsense - and never mind that DNS-over-TLS that I am trying to get to working.

And to top it all I like to keep a tight network so I like to white list what goes out from the WAn interfaces. I just learned that is not possible since internal stuff don't pass the packet filter firewall. But dpinger seems to.

Anyway, what I need to know so to speak is: Have anyone else even tried what I am doing? Or am I alone?

PS! My old ASUS RX88 firewall router, which for the moment handles my network here at home, does all of the above - so I know that it is possible, just don't know if OPNsense can?
November 29, 2020, 08:04:19 PM #1
I will answer this myself: NO - it is not.

OPNsense does not allow or work with any kind of filtering on the WAN interface. Adding rules, even simple things like allow HTTP, HTTPS, NTP, SMTP/S allow outbound - this will kill the internet connection, and I have not even added any blocking rules - just 4 simple allow outbound rules, and from that moment I loose internet connection.

Not sure that is how I would design a firewall, however this is how 20.7.5 works.
Print
Go Up Pages1
User actions