Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
configuration for stateful FW rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: configuration for stateful FW rules (Read 1419 times)
Onkel-tobi
Newbie
Posts: 17
Karma: 0
configuration for stateful FW rules
«
on:
June 14, 2023, 06:14:15 am »
Hi all,
i am just wondering why i have to create rules for the way back.
I have 6 ports (1 wan, 5 different ports with 8 vlans in all) configured.
For each vlan a single gateway is configured (is that really neede, as it seems to make no difference?).
Then i have created default block rules for incoming traffic.
Now i want access an http site from vlan a to b and created a rule for that.
But in the log i can now see that in this example traffic is going to vlan b but then the it is blocked on the interface b on going out.
I thought by default the way opnsense is doing it would be stateful, so if client from vlan a is initiating the traffic i don‘t need to create rules for the way back?
Does anyone have a hint on that?
Thanks,
Tobi
«
Last Edit: June 16, 2023, 11:40:08 am by Onkel-tobi
»
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: configuration for stateful FW rules
«
Reply #1 on:
June 14, 2023, 10:45:54 am »
stateful means: reply is allowed ootb. best guess without screenshots: rules on wrong interface and/or wrong direction (in/out)...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Onkel-tobi
Newbie
Posts: 17
Karma: 0
Re: configuration for stateful FW rules
«
Reply #2 on:
June 16, 2023, 08:58:31 am »
Sorry i was only on mobile and away.
After further investiagation i found out the following:
If you see the attachment block you can see that the request is not coming from the client net as source but from the GW address of the "dreck" network.
I also added the rules for the clientVLAN which is the network of my client PC and trying to access an address (192.168.177.60) at the dreck VLAN.
regards,
Tobi
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: configuration for stateful FW rules
«
Reply #3 on:
June 16, 2023, 09:06:47 am »
Last FW amd "HAnet" rule on Dreck are wrong, direction has to be "in", not "out"... Don't use "out" rules (unless you 100% know what you are doing...), in 99.99% of the use cases the wrong choice...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Onkel-tobi
Newbie
Posts: 17
Karma: 0
Re: configuration for stateful FW rules
«
Reply #4 on:
June 16, 2023, 09:09:20 am »
THanks for your answer.
I wanted to deny all trafic by default out of the dreck network.
So how should i do that best?
Or is it that this will be done by default deny?
«
Last Edit: June 16, 2023, 09:16:33 am by Onkel-tobi
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: configuration for stateful FW rules
«
Reply #5 on:
June 16, 2023, 09:14:27 am »
Interface: dreck
Source: any
Destination: any
Direction: in
Action: deny
Or simply no rule on that interface at all because deny is the default.
In/out is to be read as seen by the firewall. A packet originating in the "dreck" network is coming
in
the "dreck" interface.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Onkel-tobi
Newbie
Posts: 17
Karma: 0
Re: configuration for stateful FW rules
«
Reply #6 on:
June 16, 2023, 09:18:24 am »
ah ok, that was overlapping. Yes great.
After i disabled that rule and checked the logs, i can confirm that this traffic from client to dreck device is working and default deny also works for everything else.
THanks for your support!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
configuration for stateful FW rules