Need Help Understanding an Outbound Firewall Rule

[lomax0990]

I was hoping someone could help me understand why a particular firewall rule would be breaking my internet access.

I have a pretty standard setup with some vlans and a single WAN interface.  Just to get some initial connectivity I basically had an out of the box config and created a floating rule that was an any/any rule. Everything worked as expected and all vlan's had internet access.

However the first time I removed the floating rule I lost remote GUI access because I didn't have an inbound rule.  So then I went in after I got console access and created two rules on my WAN interface.  1 inbound rule that was an any/any on any port and an outbound rule that was an any/any on any port.

When I create the outbound rule it breaks my internet and it seems that it breaks DNS.  I immediately start getting "SERVFAIL" responses from a device behind on of my VLANS.  As soon as I restore the configuration back to the original before creating the outbound rule on my WAN interface my internet is restored. 

Can someone help me understand why this would happen?  I'm new to Opnsense and I would like to understand this problem because it might help me understand the platform a little better.

19:39:02.535884 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.36720: 12803 ServFail 0/0/0
19:39:21.318508 IP unifi-cloudkey.xxxx.xxx.49905 > 10.10.60.1.domain: 44740+ A? trace.svc.ui.com
19:39:21.334670 IP unifi-cloudkey.xxxx.xxxl.40905 > 10.10.60.1.domain: 25148+ AAAA? trace.svc.ui.com.
19:39:26.325140 IP unifi-cloudkey.xxxx.xxx.40905 > 10.10.60.1.domain: 25148+ AAAA? trace.svc.ui.com. (34)
19:39:26.325278 IP unifi-cloudkey.xxxx.xxx.49905 > 10.10.60.1.domain: 44740+ A? trace.svc.ui.com. (34)
19:39:30.280028 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.49905: 44740 ServFail 0/0/0 (34)
19:39:30.280246 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.49905: 44740 ServFail 0/0/0 (34)
19:39:30.296466 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.40905: 25148 ServFail 0/0/0 (34)
19:39:30.296681 IP 10.10.60.1.domain > unifi-cloudkey.wccs.local.40905: 25148 ServFail 0/0/0 (34)

[CJ]

I'm not sure if I should be hoping I understand you correctly so I can help, or hoping I didn't as you appear to have major security issues going on.

What do you mean, "remote GUI access"?

What are your actual goals for using OPNSense?

Unless I'm misunderstanding you, you've managed to open your entire network to the internet and if your network hasn't been owned yet, it's only a matter of time.

[lomax0990]

hat do you mean, "remote GUI access"?

I have ports 443 and 22 opened inbound from the internet so I can access the GUI/Console remotely from my ISP.

What are your actual goals for using OPNSense?

An appliance was purchased for a small campus environment.  I've managed Cisco, Fortinet, Juniper firewalls in the past.  This is my first time with Opnsense.

The entire network is not opened to the internet.  Like I said I've restricted the incoming access.  And as far as I can ascertain there are preconfigured rules that allow anything outbound from an interface by default.  So what I'm trying to figure out is why if I create a manual any/any outbound rule on my WAN interface that breaks my DNS resolution.  Obviously that rule was not meant to stay there long term, but at this point I'm questioning if this is some sort of a bug or if I just don't understand how this thing is supposed to work.  Because even removing the rule doesn't restore my DNS resolution until I revert the configuration to a previous configuration before the rule was put in. 

I've worked around this for now, but like I said I would like to understand it before moving forward in case there is something I'm not understanding.

[newsense]

...created two rules on my WAN interface.  1 inbound rule that was an any/any on any port and an outbound rule that was an any/any on any port...

Can you post WAN and LAN rules ?

[CJ]

hat do you mean, "remote GUI access"?

I have ports 443 and 22 opened inbound from the internet so I can access the GUI/Console remotely from my ISP.

What are your actual goals for using OPNSense?

An appliance was purchased for a small campus environment.  I've managed Cisco, Fortinet, Juniper firewalls in the past.  This is my first time with Opnsense.

The entire network is not opened to the internet.  Like I said I've restricted the incoming access.  And as far as I can ascertain there are preconfigured rules that allow anything outbound from an interface by default.  So what I'm trying to figure out is why if I create a manual any/any outbound rule on my WAN interface that breaks my DNS resolution.  Obviously that rule was not meant to stay there long term, but at this point I'm questioning if this is some sort of a bug or if I just don't understand how this thing is supposed to work.  Because even removing the rule doesn't restore my DNS resolution until I revert the configuration to a previous configuration before the rule was put in. 

I've worked around this for now, but like I said I would like to understand it before moving forward in case there is something I'm not understanding.

You should not be opening up the UI to the internet, regardless of how you have it restricted.  It's just a bad idea.  SSH is doable but most people don't configure it correctly so it's not recommended either.

If you need to do remote management, set up Wireguard or OpenVPN and connect that way.

In regards to creating outbound rules on WAN, I'm still not sure what you're attempting to do there other than to get internet access for the VLANs.  If they just need internet only access, add an inbound pass rule to the VLAN interface and set the destination to not the local subnet.  Or if you want them to talk to each other, leave destination as any, but at that point I have to wonder why they're in VLANs.

[lomax0990]

Thanks for the responses.  I'm just going to move on from this.  I'm not having any problems since removing the rule and all seems to be working as expected at the moment.  The behavior just seemed odd to me.

I will also look into the other solutions for the UI access as well.