DMZ Firewall rules driving me crazy

Started by christianholz, November 19, 2019, 05:23:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 19, 2019, 05:23:46 PM
Hi Opnsense wizards,

I am slowly losing steam with Opnsense and wonder if I have to go back to pfsense, where I never had this problem... But maybe I am just overseeing something obvious?

I am running OPNsense 19.7.6-amd64 and I have three NICs on my device. One is bound to the external GW, one to the LAN and one is my DMZ. So far so good. I can access the Internet from both the LAN and DMZ networks, I can access the DMZ from the LAN (also as expected), but I cannot prohibit connections from DMZ to LAN. The latter is absolutely necessary for me, otherwise it is not a DMZ.

I have tried the following:

- Added a rule on the DMZ interface, type "Block" direction out with the destination being the whole LAN network (/24) and the rest pretty much any/any as suggested by Opnsense.
- Added a rule on the LAN interface, type "Block" where the source is the DMZ network (also /24).
- At this point there are no exceptions defined; i.e. no other firewall rules. All of the rules are "first match".

With this, I still have bidirectional connectivity between LAN and DMZ and I don't understand why. I have flushed the states table and rebooted the firewall multiple times without any results.

What I am trying to get is:

- Both LAN and DMZ can talk to the Internet
- LAN can talk to everything on all ports in the DMZ
- DMZ can talk to a single IP in LAN via SSH only
- OpenVPN terminates in LAN with the aforementioned access as LAN (this seems to work)

Anything that could be wrong here?

Thanks for any hints...

Christian
Print
Go Up Pages1
User actions