Firewall pass rules don't work

[tvtr]

Hi,
I'm trying to use the OPNsense firewall. When I use Block rules everything works as expected (for example if I block everything except 100.100.100.100, all of the traffic will be blocked except this IP).
But when I block everything and use the pass rule to allow 100.100.100.100, the packet is allowed (as I can see in the logs), but I get no response. The pass rule is set to quick and I can see it in the logs. I made a pass rule to allow the specific IP to communicate inbound (not only unbound), but there is no log for the inbound packet (it's like the router "absorbed" it in the unbound rule).

Thank you in advance!

[chemlud]

Is the PASS rule above the BLOCK ALL rule? Show a screen shot of the Interface + rules...

[meyergru]

Yes, I found that also to be true: OpnSense firewall rules are essentially worthless because they do not work at all!



No, seriously, you essentially give no information:

1. You do not show your rules, if they are inbound or outbound, what order and whatnot.
2. You do not specify any networks or interfaces or from what client you try to reach what.
3. I can only assume that 100.100.100.100 is a stand-in for a real address - as such, it is a bogon address which may get filtered by a checkbox ("Block bogon networks") in the interface section.

[tvtr]

Yes, I found that also to be true: OpnSense firewall rules are essentially worthless because they do not work at all!



No, seriously, you essentially give no information:

1. You do not show your rules, if they are inbound or outbound, what order and whatnot.
2. You do not specify any networks or interfaces or from what client you try to reach what.
3. I can only assume that 100.100.100.100 is a stand-in for a real address - as such, it is a bogon address which may get filtered by a checkbox ("Block bogon networks") in the interface section.

Is the PASS rule above the BLOCK ALL rule? Show a screenshot of the Interface + rules...

The 100.100.100.100 IP was just for example, it can be any IP, like in the screenshot.
I have a router that has two interfaces, one for its LAN and one for its WAN.
The LAN Subnet is 192.168.1.1/24
The WAN Subnet is 192.168.100.1/24

I want to block all communications to the WAN except certain IPs.
In the screenshot, I blocked everything except the allowed_servers alias (this rule works perfectly), but the pass rule doesn't work... I don't know why

By the way, I disabled the "block private networks" rule in the WAN settings, and I removed the "default deny" rule.

[tvtr]

This is the firewall log (I filtered only requests to/from the IP that is allowed using the pass rule), and a screenshot of the ping from CMD

[tvtr]

.

[chemlud]

This is all so wrong that even the opposite is not correct... start from scratch with search terms "stateful firewall", "in" and "out" for sense fw rules etc. pp....

[tvtr]

This is all so wrong that even the opposite is not correct... start from scratch with search terms "stateful firewall", "in" and "out" for sense fw rules etc. pp....

What do you mean by "this is all wrong"? if you refer to the Block all except allowed_servers rule, I know it shouldn't be like this, it was just a temporary solution because the PASS rules don't work.

[bimbar]

This is all so wrong that even the opposite is not correct... start from scratch with search terms "stateful firewall", "in" and "out" for sense fw rules etc. pp....

What do you mean by "this is all wrong"? if you refer to the Block all except allowed_servers rule, I know it shouldn't be like this, it was just a temporary solution because the PASS rules don't work.

Best start out with only using "in" rules, please delete all "out" rules as a first step.