OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • Floating Rule Interface Invert
« previous next »
  • Print
Pages: [1]

Author Topic: Floating Rule Interface Invert  (Read 411 times)

gareththered

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Floating Rule Interface Invert
« on: April 23, 2024, 10:49:59 pm »
I'm trying to allow DNS queries to my router, but not from the WAN interface.

To do this I've created a floating rule which allows TCP & UDP port 53 in.  However, this also allows it on the WAN interface, which I don't want.

I therefore added the WAN interface to the rule's 'Interface' field and selected 'Invert'.  This blocked DNS on all interfaces, not just the WAN.

While I've worked around this by reverting to all interfaces and setting the 'Source' to an alias consisting of local networks, I'd like to know why this doesn't work by inverting the interface.

Below is an extract from rules.debug which I've grepped on the interface (re0) and edited to remove the NAT entries:
Code: [Select]
# block in log quick on re0 inet from {<bogons>} to {any} label "a785cde4d07ef9d5492b2752d6f3674c" # Block bogon IPv4 networks from ONT
# block in log quick on re0 inet6 from {<bogonsv6>} to {any} label "1abb3c3b8584670c042452464f78d963" # Block bogon IPv6 networks from ONT
# block in log quick on re0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from ONT
# block in log quick on re0 inet6 from {fc00::/7} to {any} label "fb42f48e27b4fd4647cd998434aea4d7" # Block private networks from ONT
pass out route-to ( re0 <next hop>) from {(re0)} to {!(re0:network)} keep state allow-opts label "f6dc4c3fe096989ac6d4a2c85cd16c64" # let out anything from firewall host itself (force gw)
pass in quick on  ! re0 reply-to ( re0 <next hop> ) inet proto {tcp udp} from {any} to {(self)} port {53} keep state label "f7314d8b59355b1c287b12cb88a291bd" # Allow incoming local DNS queries

As you can see, there are no block rules before it hits my DNS rule (the last one listed above).  Does anyone have any ideas why this fails?

Thanks.
« Last Edit: April 24, 2024, 08:36:12 am by gareththered »
Logged

gareththered

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
[solved]: Floating Rule Interface Invert
« Reply #1 on: April 24, 2024, 10:36:58 am »
I've just figured this out, thanks to a post by @davidsenk, which pointed me to https://forum.opnsense.org/index.php?topic=15900 which discusses reply-to within rules.

In OpnSense's GUI I edited the rule and expanded the Advanced Features section. Within this section is the reply-to menu, which I set to disable.

After saving the rule and reloading the firewall, everything seems to be working.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • Floating Rule Interface Invert
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2