[SOLVED] Block all internet traffic, but allow a single domain

Started by walterwampe, August 29, 2022, 10:52:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2022, 10:52:44 AM Last Edit: August 29, 2022, 05:30:47 PM by walterwampe
Hi,
as the title implies, I am trying to block all internet access for specific devices which I have set an alias for already.
I could deduce the settings from another thread for that.
Namely it was this one, sombody might remember...
https://forum.opnsense.org/index.php?topic=6471.15

Now I want to allow this device to reach one specific domain (openstreetmaps), but I am unsure how to do that.

For now this is my LAN FW rule to block all, which is on position 1:

Action: Block
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: any
Source / Invert: (unchecked)
Source: The alias of the devices in question
Destination / Invert: (checked)
Destination: LAN net


followed by default LAN rules:
- position 2: Default allow LAN to any rule: allow IPv4 LAN net * *
- position 3: Default allow LAN IPv6 to any rule : allow IPv6 LAN net * *

As my understanding is so far I have to add another rule on top of my #1 (block internet) rule to allow a destination alias.

So I created an alias for domain openstreetmaps.org:
Type: URL(IPs)
Content: openstreetmap.org

And another rule to allow traffic to this URL:
Action: Pass
Disabled: (unchecked)
Quick: (checked)
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: any
Source / Invert: (unchecked)
Source: The alias of the devices in question
Destination / Invert: (unchecked)
Destination: Alias of Openstreetmaps


You can already guess it... it is not working.
Could you please help me? What am I missing?

Thank you a lot for your time!
August 29, 2022, 04:32:43 PM #1 Last Edit: August 29, 2022, 04:45:30 PM by Spoonman2002
Put these two rules on top (above the rest):

Action: Pass
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: any
Source / Invert: (unchecked)
Source: LAN
Destination / Invert: (unchecked)
Destination: your_DNS_server

Action: Pass
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: any
Source / Invert: (unchecked)
Source: LAN
Destination / Invert: (unchecked)
Destination: your_streetmap_alias

Then disable the Allow any to any rule (at the bottom).
Remember, OPNsense blocks all by default.

And I use "Host(s)" in the alias config, not URL.
(When using a fully qualified domain name, the name will be resolved periodically (default is each 300 seconds).
see: https://docs.opnsense.org/manual/aliases.html)

- Done.
August 29, 2022, 05:29:53 PM #2
Thank you, with your help I could get it working!
Print
Go Up Pages1
User actions