Floating Rule Interface Invert

Started by gareththered, April 23, 2024, 10:49:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 23, 2024, 10:49:59 PM Last Edit: April 24, 2024, 08:36:12 AM by gareththered
I'm trying to allow DNS queries to my router, but not from the WAN interface.

To do this I've created a floating rule which allows TCP & UDP port 53 in.  However, this also allows it on the WAN interface, which I don't want.

I therefore added the WAN interface to the rule's 'Interface' field and selected 'Invert'.  This blocked DNS on all interfaces, not just the WAN.

While I've worked around this by reverting to all interfaces and setting the 'Source' to an alias consisting of local networks, I'd like to know why this doesn't work by inverting the interface.

Below is an extract from rules.debug which I've grepped on the interface (re0) and edited to remove the NAT entries:
Code Select

# block in log quick on re0 inet from {<bogons>} to {any} label "a785cde4d07ef9d5492b2752d6f3674c" # Block bogon IPv4 networks from ONT
# block in log quick on re0 inet6 from {<bogonsv6>} to {any} label "1abb3c3b8584670c042452464f78d963" # Block bogon IPv6 networks from ONT
# block in log quick on re0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from ONT
# block in log quick on re0 inet6 from {fc00::/7} to {any} label "fb42f48e27b4fd4647cd998434aea4d7" # Block private networks from ONT
pass out route-to ( re0 <next hop>) from {(re0)} to {!(re0:network)} keep state allow-opts label "f6dc4c3fe096989ac6d4a2c85cd16c64" # let out anything from firewall host itself (force gw)
pass in quick on  ! re0 reply-to ( re0 <next hop> ) inet proto {tcp udp} from {any} to {(self)} port {53} keep state label "f7314d8b59355b1c287b12cb88a291bd" # Allow incoming local DNS queries


As you can see, there are no block rules before it hits my DNS rule (the last one listed above).  Does anyone have any ideas why this fails?

Thanks.
April 24, 2024, 10:36:58 AM #1
I've just figured this out, thanks to a post by @davidsenk, which pointed me to https://forum.opnsense.org/index.php?topic=15900 which discusses reply-to within rules.

In OpnSense's GUI I edited the rule and expanded the Advanced Features section. Within this section is the reply-to menu, which I set to disable.

After saving the rule and reloading the firewall, everything seems to be working.
Print
Go Up Pages1
User actions