OPNsense as an internal firewall

[clopmz]

Good morning,

Sorry to disturb with this, but I am totally lost. I am trying to setup an OPNsense firewall in my internal networks as an internal firewall. Exists another OpenBSD firewall acting as an external firewall.

To use OPNsense as internal firewall, I have disabled "Block private networks" and "Block bogon networks" options in WAN interface. Outbound NAT is disabled also. But two things happen:

- ALL traffic is accepted on WAN. It doesn't matter what rules I configure, all traffic is accepted. Always.
- Packets traversing the WAN interface are blocked back on the LAN interface.

An example (hn0 is the LAN interface):

 00:00:00.000000 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:01.010020 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:00.030043 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:02.018105 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
 00:00:00.031078 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0

 And finally: if I disable the firewall completely with the command "pfctl -F all", everything works correctly (which makes me rule out a routing problem).

Any idea? My OPNsense firewall is release 23.1.11-amd64.

[CJ]

Can you explain more about your existing setup and what you're trying to accomplish?  Is there a reason not to just replace the OpenBSD firewall with OPNSense?  If not, then what is the purpose of using OPNSense in addition to the OpenBSD?