Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Firewall Rule Question
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Rule Question (Read 682 times)
laugher
Newbie
Posts: 3
Karma: 0
Firewall Rule Question
«
on:
June 13, 2024, 02:59:08 am »
Hi everyone. I'm new to OPNSense so please be gentle. :'(
Have setup OPNSense on a Protectli Vault mini PC. On the first LAN interface, there was already a rule created automatically for me by OPNSense setup to allow the subnet to any.
On the second interface, I had to manually add it myself and found I had to clone the rule from the first and configure it for this second interface.
Question #1 - Should I change the destination "any" to WAN address or WAN net?
I really want all interfaces to allow originating traffic to the internet but not to each other.
Question #2 - Should I add a firewall rule to allow one fixed internal IP on the first LAN interface to the .1 address of the same subnet for management purposes? Is this what is considered best practice?
I would like only one PC with a static (or DHCP reserved IP) to connect to OPNSense for management purposes (web GUI, SSH to OPNSense) in order to limit management access to the appliance.
Any thoughts and how you have achieved similar setup would be very much appreciated.
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Firewall Rule Question
«
Reply #1 on:
June 13, 2024, 11:32:48 am »
1. Don't allow to WAN/WANnet. Will break connectivity to web.
2. The default "allow any any" rule is only meant as a starter, even on LAN. Refine it to your taste with specific block/allow rules.
3. To avoid traffic from LAN to OPT1 (and vice versa) place a rule on top of the LAN rules list with "block source: LANnet target: OPT1net" (and vice versa). Rules are evaluated from top to bottom, first match will bite (if standard "quick" is set, otherwise the rule will be evaluated last, but that should be kept for special/advanced configurations).
«
Last Edit: June 13, 2024, 12:11:17 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
laugher
Newbie
Posts: 3
Karma: 0
Re: Firewall Rule Question
«
Reply #2 on:
June 13, 2024, 11:54:48 am »
1. That makes a lot of sense. It does break when I use WAN interface as destination. But when I use WAN net, it seems to work. Still trying to understand why. I'll switch it over to any once I am done learning.
2. Got it. I will try to get a grip on what traffic is flowing between all my devices to the WAN interface over the next week or two to tighten it up. At this stage, all I can think of is http, https, dns, imap and ftp to start off with and am hoping social media mobile apps all use standard http/s ports!
3. That's great. Thank you!
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Firewall Rule Question
«
Reply #3 on:
June 13, 2024, 12:12:41 pm »
1. Not fully understood here, but maybe CGNAT on WAN?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
laugher
Newbie
Posts: 3
Karma: 0
Re: Firewall Rule Question
«
Reply #4 on:
June 13, 2024, 02:22:28 pm »
With my limited understanding, I don't really follow how ISP CGNAT would affect why opnsense would accept connections to WAN net. My only guess at this stage is that all traffic is routed to the default gateway in order to reach an address to the internet.
For example;
Vault LAN device has IP 10.10.10.10, receives packet for internet bound, routes to its default gateway 10.10.10.1.
LAN interface 10.10.10.1 (FW). FW rules says auto NAT then route to WAN interface (internet bound traffic).
WAN interface (ISP DHCP assigned) 123.123.123.123 receives packet and says send it to my default gateway which is 123.123.123.1.
From there, its out of the vault doors to its destination.
Unless I put a packet sniffer on the interface or I wade through the logs, I guess I am just guessing!
But while I am interested, I am not all that interested to find out just yet. Still got lots of other interesting bits to learn here. Going to go with your experience and change it to "any" later.
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: Firewall Rule Question
«
Reply #5 on:
June 15, 2024, 04:06:26 pm »
routing is "next hop" (... -> WAN IP -> ISP Gateway ->... ), but FW rules should be "target IP"-based.
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Firewall Rule Question