Creating a Whitelist using Firewall Aliases and Rules for Zscaler Client Connect

Started by instantdreams, October 06, 2025, 06:21:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 06, 2025, 06:21:06 PM
I have installed OPNsense 25.7.4-amd64 to replace a NetGear Orbi RBR850.

On my home network I occasionally use a work laptop that uses the Zscaler Client Connector to create a secure tunnel to my work. Zscaler provide a Cloud Enforcement Node Ranges page that lists all URLs in CIDR format for inclusion into an allow list. I have previously included this whitelist in Crowdsec to allow access to my services from my work laptop.

After installing opnsense I noticed the default deny / state violation rule was being triggered when I enabled the Zscaler tunnel on my work laptop. I created an Firewall Alias with the following details:

1. Enabled: checked
2. Name: zscaler_ranges
3. Type: Network(s)
4. Categories: blank
5. Content: CIDRs from Cloud Enforcement Node Ranges
6. Statistics: unchecked
7. Description: Whitelist events from zscaler aggregate ip address ranges

I saved and validated this alias and then created a Firewall Rule under my WAN interface:

1. Action: pass
2. Disabled: unchecked
3. Quick: checked
4. Interface: WAN
5. Direction:  in
6. TCP/IP Version: IPv4+IPv6
7. Protocol: any
8. Source / Invert: unchecked
9. Source: zscaler_ranges
10. Destination / Invert: unchecked
11. Destination: any
12. Description: allow zscaler traffic

I saved and applied this rule.

When I check Firewall : Log Files : Live View I can still see many entries being denied, and the alias reports the following:

nameloadedmatchedin block packetin pass packet
zscaler_ranges491560836

Is there anything I am missing with this configuration?
October 06, 2025, 06:49:17 PM #1
I changed the Firewall Rules from WAN to Floating and the matched and pass values in the alias have gone up but some network issues still exist:

nameloadedmatchedblockpass
zscaler_ranges4933401826

I expect I am missing something obvious here, being a newbie with opnsense.
October 06, 2025, 06:53:48 PM #2
Isn't your laptop the one initiating the traffic OUT from your LAN ? In which case you would want the rule on the interface LAN, direction IN.
Print
Go Up Pages1
User actions