Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Opnsense newbie - firewall rules question
« previous
next »
Print
Pages: [
1
]
Author
Topic: Opnsense newbie - firewall rules question (Read 1873 times)
pankaj
Full Member
Posts: 117
Karma: 5
Opnsense newbie - firewall rules question
«
on:
February 14, 2021, 05:49:55 am »
Hi,
I am a user of pfSense and thinking of using Opnsense so decided to play with it on GNS3 just to get a hang of it:
See attached for a simple topology I created:
1. OPNSense machine where on LAN (em2), I created two VLans (10: Office and 20: Home)
2. Turned off DHCP on LAN and turned DHCP on VLAN10 (192.168.91.x) and VLAN20 (192.168.92.x)
3. Added a L2 switch in between and configured f0/4 as VLAN10, f0/5 as LAN20 and f0/3 as uplink
4. Added one PC to each VLAN and each of the PCs gets a correct DHCP address in the subnet assigned above
I was really thrilled till this point to make so much progress on my first attempt
Then tried following:
1. Ping PC1 from PC2 and vice versa - both sides worked, I was expecting it to be blocked as default rules should be "block all" so would appreciate if anyone can explain how this ping is going through when there are NO rules under VLAN10 or VLAN20.
2. Checked the rules under LAN and found "Allow All" rule - turned both of them off
3. The pings from PC1 and PC2 to each other stopped working
4. On VLAN10 added an outbound rule to allow any IPv4 protocol from VALN10 to VALN20, I was expecting the ping to work from PC1 to PC2 (based on pfSense experience) but it did not work
5. Under VLAN20 added an inbound rule to allow any IPv4 protocol into VLAN20 from VLAN10, surprisingly the ping from PC1 (on VLAN10) to PC2 (on VLAN20) still did not work.
So clearly I am doing something wrong here and would appreciate any pointers?
Thanks,
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Opnsense newbie - firewall rules question
«
Reply #1 on:
February 14, 2021, 06:23:47 am »
Regarding your firewall rules, you seem to have a bit of confusion regarding traffic direction matching.
This is explained in the docs, but essentially it is as follows (taking part of your configuration as an example):
traffic IN to VLAN10 interface would generally be coming
from
VLAN10 hosts
traffic OUT of VLAN10 interface would generally be going
to
VLAN10 hosts
Almost all of the time, you want to be configuring FW rules IN to an interface. So if you want a FW rule to allow VLAN10 hosts to access VLAN20 hosts, you would put a FW rule IN to VLAN10 interface, with source of VLAN10 net and destination of VLAN20 net.
Logged
pankaj
Full Member
Posts: 117
Karma: 5
Re: Opnsense newbie - firewall rules question
«
Reply #2 on:
February 14, 2021, 06:34:08 am »
@greelan thanks for your comments.
Yes I am little confused, UI of OPNSense seems better than PF but will take some time to sink in!!
The recommendation you made about the FW rule on VLAN10, I thought I was doing the same (see screenshot below). Is this not same as what you suggested? If not then this may be the the source of my problem.
Thanks.
«
Last Edit: February 14, 2021, 06:37:22 am by pankaj
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Opnsense newbie - firewall rules question
«
Reply #3 on:
February 14, 2021, 06:48:45 am »
Nope, that's an OUTbound rule. So basically it says allow traffic OUT of Office interface that is coming from Office net to Home net. But traffic coming OUT of Office interface would generally be going TO Office net, not from it.
Think of it as: OUT of an interface is going to hosts connected to that interface, and IN to an interface is coming from hosts connected to that interface.
IN and OUT always needs to be looked at from OPNsense/the firewall's point of view.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Opnsense newbie - firewall rules question