Firewall: OPT1<>LAN

[m11r]

Hi,

maybe a general question.

Following basic setup, fresh installation:

• LAN interface, 192.168.1.1/24
• OPT1 interface, 10.0.0.1/24

Only Firewall Rules on Both:

• automatically generated rules
• IPv4+IPv6, source [interface], destination *, action pass
  (Default allow LAN to any rule)

Now a client from LAN can reach any IP from OPT1. But why? Don't I need to create a rule to allow that - e.g. ~"allow all incoming on opt1 from LAN"?


I'm planning to create multiple interfaces (VLANs) for clients, guests, dmz, printers, cameras, ... - what is the way to go for example if I want to block guests to access LAN - create a rule in Guest with LAN as target or create a rule in LAN with Guest as Source? And repeat that for other isolated networks? Or am I missing something?

[Monviech (Cedrik)]

https://forum.opnsense.org/index.php?topic=36285.msg176938#msg176938

Just ignore the things about the gateway. Im sure this will help you.

[m11r]

Thanks! I get that i can create an inverted rule to allow anything but RFC1918. This works as expected.

But why does LAN allow incoming from OPT1? Which rule does apply here (specifically by the LAN side?)
Wouldn't it be safer to deny all incoming on LAN than deny outgoing from OPT1?

The GUI says "Everything that is not explicitly passed is blocked by default." - Sorry for my confusion, I don't understand which rule explicitly passes incoming traffic on LAN1...

[Monviech (Cedrik)]

LAN allows incoming from OPT1 because you probably created a rule in OPT1 allowing "any destination." If you create the inverted rules as allow rules to the internet, (on each interface), they don't include your other subnets connected to the firewall.

Thus the last matching default deny rule will match (which the GUI references as default block rule) and OPT1 cant reach LAN anymore.

[m11r]

Yes, I allow OPT1 to any destination. But where does it say (in LAN): "allow LAN from any destination"? Or am i completely misunderstanding a basic concept?

Both Interfaces just have "allow to any" as the only rule - I'm missing the origin of the "allow from" rule, which I thought would have to be applied.

[Monviech (Cedrik)]

You are misunderstanding the concept. If you allow Direction "in" on OPT1 to "destination any" the packet is delivered directly to the destination without passing through the "LAN" interface and matching additional rules. It just goes straight to the destination.

https://forum.opnsense.org/index.php?topic=36326.0

The traffic would go "in" the OPT1 interface, and "out" of the LAN interface. But the general concept is not to use out rules because they mess with the states. You just filter everything ingress.

[m11r]

… it clicked, thank you very much! Finally it makes sense to me.

[Monviech (Cedrik)]

Great, happy I could help.

[Seimus]

To add on the invert rules, its a fancy way to do allow certain things. For example if you have a VLAN/Network that you want only allow for internet yet block from accessing your LAN you can do something like this:



1. Create an allias with the Private subnet space
2. Create a rule put that alias as destination
3. Click the invert in the destination section "Use this option to invert the sense of the match. "

You can see in my example - the VLAN net is a GROUP of several interfaces, this way I can push one rule onto multiple interfaces without the need to configure on each interface separately.

Also if not aware is good to undersdant the flowe and order or rules.
https://docs.opnsense.org/manual/firewall.html#processing-order

System > Floading > Interface group > Interface

Regards,
S.