Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Opnsense auto generated rules prevent blocking
« previous
next »
Print
Pages: [
1
]
Author
Topic: Opnsense auto generated rules prevent blocking (Read 624 times)
Fkhan6601
Newbie
Posts: 1
Karma: 0
Opnsense auto generated rules prevent blocking
«
on:
June 04, 2024, 10:17:40 am »
Hi, all.
I am trying to block a set of devices from reaching any address except a particular lan address and port. Here is my setup:
I have open sense connected to my ONT. On the lan port, I have a wireless router and other wireless mesh devices. I am using the router as a wireless AP and using open sense dhcpv4 server.
On my firewall, I have aliased devices I want to prevent from reaching the Internet with a rule in floating rules:
Rule 1
Dir: out
Interface: lan
Source: myAlias
Dest: mySpecific Lan Address and port on lan with cidr 32
Allow
Rule 2
Dir: out
iFace: lan
Src: myAlias
Dest: any
Block
Apply all rules
I would think this should be enough, but those devices can both ping, traceroute via open sense, and browse the internet. I have tried to restart fp and restart fw server. The traffic seems to go through an auto generated rule for "let out anything from firewall host itself. I can use DNS to block address translation, but that defeats the purpose of a firewall.
I have looked at firewall sessions to find the rule that is allowing traffic out. I can't disable this rule with the UI and it seems if this is really a default rule, it is a bad rule or something is not right with my setup. I have a bunch iot devices and many other android devices from China that I don't want to reach the internet at all. They are only allowed to connect to an internal server UI or specific port, like rtsp, and I want to block all outgoing and incoming traffic. All the devices have static ipv4 addresses and are included in the alias. This was a similar setup to pfsense, where rules worked, but it seems opnsense is just not blocking anything at all via firewall.
I'll be happy to provide more info without external ips or other info that would compromise security.
I am a technical user in a related field with experience in bsd, Linux, and lots of related stuff. I know it is possible to remove the auto rules, but this whole thing seems wrong, so I'm questioning my own setup. I'm coming from pfsense and wanted to use opnsense for sensie, suricata, etc. what is wrong here?
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Opnsense auto generated rules prevent blocking
«
Reply #1 on:
June 04, 2024, 12:47:02 pm »
change the direction to IN.
Logged
Seimus
Hero Member
Posts: 608
Karma: 59
Re: Opnsense auto generated rules prevent blocking
«
Reply #2 on:
June 04, 2024, 01:51:30 pm »
I will just add
https://docs.opnsense.org/manual/firewall.html#processing-order
Regards,
S.
Logged
Networking is love. You may hate it, but in the end, you always come back to it.
OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G -
VM HA(SOON)
N100 - i226-V | Crucial 16G 4800 DDR5 | S 980 500G -
PROD
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Opnsense auto generated rules prevent blocking