OPNSense Rules

Started by bwar, October 13, 2020, 01:01:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 13, 2020, 01:01:13 AM
Hello all, I'm a retired IT worker, upgrading from a Smoothwall 3.1 Express install that I've been using about 10 years.  I was a programmer and I'm 69 years old, so it might take me a little longer to get this right than some of you pros!   Anyway,   I'm using three interfaces, with one for my desktops and NAS and one for my wireless, phone, cameras, and other devices.  I've attached a screenshot of my OPT interface firewall rules.  My philosophy with my Smoothwall was to allow only what I need and reject everything else.  One of my devices is an IP Phone, and I've found on my Smoothwall it worked best when set to an always allowed device.  I've tried to do that with my OPNSense rules with the two you'll see in the screenshot for 192.168.1.100.  The rules as they are work fine.  However when I disable the "In" rule for 192.168.2.100 I disable my Internet connection  on this subnet.  So, clearly the rule must not be doing what I'm expecting it to, and my rules above which allow Internet must not be working either.  My best guess is that DNS is not working on this subnet, and somehow my "in" rule is enabling it.  Can someone offer me a suggestion?  Thanks so much.
October 13, 2020, 10:03:01 AM #1
In your firewall configuration you have exactly ONE active rule allowing access to the internet. And that is the IN rule for 192.168.2.100/24 (rule no. 6 in your screenshot). If you disable this rule, you won't have any access to the internet at all.

I am not sure for what reason you have set up the first two firewall rules. Are you trying to access internal devices from the internet?

Also I want to point out that 192.168.2.100/24 refers to the whole subnet 192.168.2.xxx and not just the phone. If you want to set up a specific rule for your phone you should use 192.168.2.100/32 instead.

As far as I understood a basic setup could look like follows for you:

Code Select
Action Direction Protocol Source Port Destination Port Gateway Schedule Description
pass in IPv4 TCP/UDP * * * 80 (HTTP) * * Allow http access
pass in IPv4 TCP/UDP * * * 443 (HTTPS) * * Allow https access
pass in IPv4 TCP/UDP * * * 53 (DNS) * * Allow DNS access
pass in IPv4 TCP/UDP 192.168.2.100/32 * * * * * Allow everything for IP phone
Print
Go Up Pages1
User actions