Some basic firewall rules

Started by opnjester, December 15, 2020, 02:19:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 15, 2020, 02:19:09 PM Last Edit: December 15, 2020, 04:50:20 PM by opnjester
Hello,

I've set-up a nice working OPNSense Router with DHCP, DNS, Sensei, IDS, ClamAV, WoL, and 3 Interfaces (WAN, LAN-R, LAN-T)
Those are configured as 2 separate networks LAN-R: 10.0.1.1  and LAN-T 10.0.2.1.
Every network should be able to browse the internet and only some protocols should be open between both networks.

I'm just fighting with the firewall and I don't really understand how to configure. I found some information here, but it never worked for me.
If I enable the standard rule "Default allow LAN to any rule" it works just fine.

So, I disabled it and tried to figure out how to just allow browsing:

DNS is allowed and also working. But what should be the next rule to allow LAN-R to be able to browse the internet?

E.g. I did some testing with a printer webpage. The printer has the IP 10.0.2.30 an the Computer wants to access it from LAN-R. But no chance :/  Also when chosing LAN-R as source.

Thank you very much
Regards
December 15, 2020, 08:45:08 PM #1 Last Edit: December 15, 2020, 08:47:28 PM by chemlud
The traffic is evaluated against the rules on the FIRST interface it hits. If allowed by a rule, a STATE will be created, allowing automagically the REPLY to pass back without needing a specific rule on any interface.

1. Never have any ALLOW rules on WAN (except you know exactly know why you need it).

2. If a client in LAN1 wants to reach a client on LAN2 (let's say: a samba server) you need an ALLOW rule on LAN1 for source (IP of the source client, port: any) to target (IP of client in LAN2, port 445).


kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 16, 2020, 02:35:57 AM #2
Hello chemlud,

yes, the rules are only created on the LAN interfaces.

so the rule like in the attachment (HTTP Test) should work? Here it's not working.
10.0.1.82 is the IP of my PC in LAN1 and 10.0.2.20 ist the IP of a Printer in LAN2.

I really don't know where my error is.

Regards
December 16, 2020, 09:32:56 AM #3
Allow LANnet to "LAN address" port 53 as the first rule. Reboot. Test again and tell us how you try to access port 80 of the printer and what EXACTLY happenz then...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 17, 2020, 12:56:40 AM #4
Hi,

sorry, my fault. Didn't check that the printer did a redirect on port 443. So that's working fine now.

But I still need to find out what should be open in order to be able to access the internet.
So with this default rule:  (IPv4 *   LAN_R net   *   *   *   *   *   Default allow LAN to any rule), it's working.
But I don't want everything to be open to everywhere.
I want to access internet from LAN_R net and block access to LAN_T.

I tried
IPv4 *   LAN_R net   *   WAN address   *   *   *
IPv4 *   LAN_R net   *   WAN net   *   *   *
IPv4 *   LAN_R net   *   This Firewall   *   *   *

But nothing is working.
The rule to access dns is working though.

IPv4 TCP/UDP   LAN_R net   *   This Firewall   53 (DNS)   *   *
So DNS is working, but that's it :(

Thanks in advance.
Regards

December 17, 2020, 06:37:13 AM #5
I always create an alias with all my local networks. Then I add a firewall rule using this alias as destination and tick destination invert. There is no ,,Destination WAN" alias, so this is the nearest I could get. This means that you need to keep this alias updated as soon as a new network is added.
,,The S in IoT stands for Security!" :)
Print
Go Up Pages1
User actions