Author Topic: Re: Multi WAN (was DoT in combo) - allow dpinger in firewall? (Read 8469 times)

lar.hed · « **Reply #30 on:** December 01, 2020, 07:38:35 am »

Okay - when I draw this on paper yesterday evening I think I know why we "talk different languages" so to speak. I see this at "hardware"-level, and I think OPNsense developers sees this more like "software"-level. Why? Well you request, most likely correct, IPs and direction. I like to see this as hardware interface level, and of course direction. I think this could explain why I would very much like to have back the firewall rules that seems to have worked on 20.1 - and now no rules at all works on WAN-kind of interfaces (all rules at always interpreted as blocking rules, no matter what).

Anyway here is a very simple drawing. Do note that I am att interface level, and ports mentioned are the only one allowed out from each area so to speak.

mimugmail · « **Reply #31 on:** December 01, 2020, 10:00:41 am »

When you dont use port forwards you can leave the WAN rules tab empty, just add the rules with direction incoming on LAN and/or WORK.

And please, dont repeat yourself that it worked before with 20.1, the concept of firewalling is to allow the packet closest to the source, so when LAN wants to travel via WAN, add the rule on LAN.
When a packet of WORK wants to go to LAN, add the rules to WORK.

Only portforwards are added to WAN, or if you want to allow VPN to the firewall.

lar.hed · « **Reply #32 on:** December 01, 2020, 12:57:02 pm »

Sorry for that - will not happen again.

You asked for example so you could maybe help me with rules. Here is the 2 I am currently struggling with:

1) DNS will be only port 53 on the inside (left if you will on earlier posted drawing) of OPNsense, so a rule to go from an interface, say WORK in this example my laptop with 192.168.2.10, to internal Unbound DNS only, and this needs to work with Multi-WAN of course.

2) For the WAN interfaces, WAN_FTTH and WAN_LTE, only allow DNS-over-TLS to IP address 1.1.1.1 and 9.9.9.9 from Unbound internal of OPNsense, thru port 853 - and no traffic on 53 (or 853 except this two IPs).

The first one I got I think, although I am still not 100% sure what destination IP I should use - currently I use "This Firewall" since it works - however that alias seems a bit to "large" so to speak.

The second one - well that is where I can not figure out how to get that working.

For me the left (on my drawing) and right (again on my drawing) are two separate "zones" - and I do not like to assume that everything works all the time. I liked that extra protection.

mimugmail · « **Reply #33 on:** December 01, 2020, 02:36:49 pm »

For the first you can set it on rules tab LAN with source LAN net and destnations LAN address and for WORK, WORK net and destination WORK address.
So every client in it's own network use the gateway address as DNS.

Regarding 2 you have to make sure within Unbound that only DoT is allowed, no idea how to do this, but I guess when you enabled DoT for zone "." it should force 853 always.

lar.hed · « **Reply #34 on:** December 01, 2020, 02:59:27 pm »

Thanks! And I mean it!

Sorry question 2 is not resolvable, but I guess that is how life is.