OPNsense as an internal firewall

Started by clopmz, July 14, 2023, 01:43:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 14, 2023, 01:43:57 PM
Good morning,

Sorry to disturb with this, but I am totally lost. I am trying to setup an OPNsense firewall in my internal networks as an internal firewall. Exists another OpenBSD firewall acting as an external firewall.

To use OPNsense as internal firewall, I have disabled "Block private networks" and "Block bogon networks" options in WAN interface. Outbound NAT is disabled also. But two things happen:

- ALL traffic is accepted on WAN. It doesn't matter what rules I configure, all traffic is accepted. Always.
- Packets traversing the WAN interface are blocked back on the LAN interface.

An example (hn0 is the LAN interface):

00:00:00.000000 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:01.010020 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:00.030043 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:02.018105 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:00.031078 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0

And finally: if I disable the firewall completely with the command "pfctl -F all", everything works correctly (which makes me rule out a routing problem).

Any idea? My OPNsense firewall is release 23.1.11-amd64.
July 14, 2023, 03:03:52 PM #1
Can you explain more about your existing setup and what you're trying to accomplish?  Is there a reason not to just replace the OpenBSD firewall with OPNSense?  If not, then what is the purpose of using OPNSense in addition to the OpenBSD?
Print
Go Up Pages1
User actions