Help with Firewall rules

Started by rogers_mws, June 02, 2024, 11:56:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 02, 2024, 11:56:17 AM

L3 Switch -------------------- OPNsense -------------------- Internet
10.10.10.1 /24                    10.10.10.254                       DHCP

VLANS configured                10.10.10.1 Gateway
10.10.10.1                          10.10.10.0 Route
10.10.20.1                          10.10.20.0 Route
10.10.30.1                          10.10.30.0 Route


As per the diagram attached (it's a bit crap sorry) I have a L3 switch that all my VLANs are configured on, I use this to do all my routing in my home network. I use different VLANs to separate home and network devices.

The goal I want to achieve is to allow internet access to VLAN10 and VLAN20 (Private_networks alias) that is unrestricted and can get to any destination on the internet but specific hosts within  VLAN30 I want to restrict which websites it can get to, for argument sake www.microsoft.com.

VLAN 10 – management net
VLAN 20 – home net
VLAN 30 – server net
      10.10.30.10 – Host I want to restrict
      10.10.30.100 – Domain controller (part of the domain_controller alias)

L3 Switch is configured with all VLANs and is routing accordingly.
Default route set to the OPNsense (10.10.10.254)
NAT is set up for each network on the OPNsense
A gateway is configured on the OPNsense with the routes back to the L3 Switch (10.10.10.1)
Private_networks alias has 10.10.10.0/24 and 10.10.20.0/24 added as networks


I added the above firewall rules

1.   Allow anything to ping anything
2.   Allow domain controllers to access Cloudflare DNS (DNS forwarders configured)
3.   Allow 10.10.30.10 access to Microsoft website (be default should block everything else?)
4.   Allow all other Private_networks access to the internet

From the host 10.10.30.10, I can ping anything on the internet and do DNS lookups so I know that the first 2 rules are working, but access to www.microsoft.com doesn't work?
Can anyone point in the right direction for what I'm doing wrong? Any help would be appreciated!
Thanks,
June 02, 2024, 09:24:48 PM #1 Last Edit: June 02, 2024, 09:26:42 PM by ThyOnlySandman
Quote from: rogers_mws on June 02, 2024, 11:56:17 AM
The goal I want to achieve is to allow internet access to VLAN10 and VLAN20 (Private_networks alias) that is unrestricted and can get to any destination on the internet but specific hosts within  VLAN30 I want to restrict which websites it can get to, for argument sake www.microsoft.com.

I don't use URL tables aliases myself within opnsense as I have a transparent Forigate firewall in front of opnsense that handles specific host domain rules, but with what your aiming for here I believe this should work.

URL Tables (IPs)
A table of IP addresses that are fetched on regular intervals.

Create alias host groups of specific IPs in vlan 30.
Create URLs tables with domains.
Create LAN INT block rule referencing source host group + destination URL tables
Create LAN INT VLAN 30 rule below URL tables rule with destination any IP allow.

Zenarmor is also capable of web based / app filtering.  I 've setup different Zenarmor policies to capture an entire vlan subnet though and not specific IPs.
June 02, 2024, 10:57:02 PM #2
Thanks for your reply  :)

I have tried to do this, but it seems as though it's just ignoring the allow rule for some reason and blocks everything?

So I have a host alias with 10.0.30.10 and this has an allow rule to an alias url table with www.microsoft.com and still not access just to that website.
It seems to only give me access to the internet using this format when I specify destination protocol as 'any'

its bizarre, or I'm just doing something wrong   ???
June 03, 2024, 04:39:07 AM #3
Well I probably misread - my steps mentioned the other way - block specific domains as first rule.  Allow all domains remaining as second rule. 
Sounds like your going to need some rules above if your using the URL rule as the only allow rule.

Likely DNS blocked.
Also can try adding a DNS + ICMP allow rules on top allowing source of an all vlans group.
I use unbound so my LAN INT DNS rule is source VLANs --> (this firewall).  Unbound TLS forward google DNS.

I don't have any experience with opnsense url tables.  If still no go after new DNS rules - I'd read how to validate url table alias has resolved IPs and populated table.
Print
Go Up Pages1
User actions