Creating a Whitelist using Firewall Aliases and Rules for Zscaler Client Connect

Started by instantdreams, October 06, 2025, 06:21:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 06, 2025, 06:21:06 PM
I have installed OPNsense 25.7.4-amd64 to replace a NetGear Orbi RBR850.

On my home network I occasionally use a work laptop that uses the Zscaler Client Connector to create a secure tunnel to my work. Zscaler provide a Cloud Enforcement Node Ranges page that lists all URLs in CIDR format for inclusion into an allow list. I have previously included this whitelist in Crowdsec to allow access to my services from my work laptop.

After installing opnsense I noticed the default deny / state violation rule was being triggered when I enabled the Zscaler tunnel on my work laptop. I created an Firewall Alias with the following details:

1. Enabled: checked
2. Name: zscaler_ranges
3. Type: Network(s)
4. Categories: blank
5. Content: CIDRs from Cloud Enforcement Node Ranges
6. Statistics: unchecked
7. Description: Whitelist events from zscaler aggregate ip address ranges

I saved and validated this alias and then created a Firewall Rule under my WAN interface:

1. Action: pass
2. Disabled: unchecked
3. Quick: checked
4. Interface: WAN
5. Direction:  in
6. TCP/IP Version: IPv4+IPv6
7. Protocol: any
8. Source / Invert: unchecked
9. Source: zscaler_ranges
10. Destination / Invert: unchecked
11. Destination: any
12. Description: allow zscaler traffic

I saved and applied this rule.

When I check Firewall : Log Files : Live View I can still see many entries being denied, and the alias reports the following:

nameloadedmatchedin block packetin pass packet
zscaler_ranges491560836

Is there anything I am missing with this configuration?
October 06, 2025, 06:49:17 PM #1
I changed the Firewall Rules from WAN to Floating and the matched and pass values in the alias have gone up but some network issues still exist:

nameloadedmatchedblockpass
zscaler_ranges4933401826

I expect I am missing something obvious here, being a newbie with opnsense.
October 06, 2025, 06:53:48 PM #2
Isn't your laptop the one initiating the traffic OUT from your LAN ? In which case you would want the rule on the interface LAN, direction IN.
October 07, 2025, 04:53:09 PM #3
After a day of testing I can confirm that the issues with my work laptop connected to a zscaler tunnel using the Zscaler Client Connector have been resolved.

The solution was as follows:
1. Copy the URLs listed on the Cloud Enforcement Node Ranges page into a comma separated list
2. Create a Firewall Category:
   2.1. Colour: blue
   2.2. Name: zscaler
3. Create and apply a Firewall Alias:
  3.1. Name: ranges_zscaler
  3.2. Type: Network(s)
  3.3. Categories: zscaler
  3.4. Content: Paste comma separated list
  3.5. Description: Whitelist events from zscaler aggregate ip address ranges
4. Create and apply a Firewall Rule Floating:
   4.1. Action: Pass
   4.2. Quick: checked
   4.3. Direction: in
   4.4. TCP/IP Version: IPv4+IPv6
   4.5. Protocol: any
   4.6. Source: ranges_zscaler
   4.7. Category: zscaler
   4.8. Description: allow zscaler traffic

I will continue to monitor the access and behaviour over the next week.
Print
Go Up Pages1
User actions