Block all trafic from alias (ip range)

Started by s3b0, October 03, 2025, 11:45:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 03, 2025, 11:45:04 AM
Hi,

I'm trying to block all traffic from ip range(via alias) but nothing is working - didn't have this problem on my prevoiuse firewall, but with opnsense i can't make it work, maybe i'm missing something.

IP range for block is 192.168.2.50-192.168.2.59 (alias: Cameras, type of alias is Hosts)
You cannot view this attachment.

From desperation i made redundant rules in WAN and LAN interface:
You cannot view this attachment.
You cannot view this attachment.

But - even - after resetting States, opnsense shows me
You cannot view this attachment.

and one of my crap cam is still connected to its cloud.

What i'm doing wrong?

October 03, 2025, 11:52:30 AM #1
The cameras are connected to LAN, right? To block traffic from the cameras to the Internet the rules needs to be:

Action: block
Interface: LAN
Direction: in
Source: cameras
Destination: any

The packets from the cameras are coming IN through the LAN interface when you picture a little daemon sitting inside the firewall watching the traffic.

That's explained in the documentation:

https://docs.opnsense.org/manual/firewall.html#direction

You practically never use "out" rules.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 03, 2025, 04:35:41 PM #2
Thx - fixed thanks to you.

So i should consider directions way different, "in" is from my net(into internet) and "out" is to my net(from internet)?

Like this:
Internet -> Out rule of Wan -> Out rule of LAN -> LAN
Internet <- In rule of Wan <- In rule of LAN <- LAN
or like this:
Internet -> In rule of Wan -> Out rule of LAN -> LAN
Internet <- Out rule of Wan <- In rule of LAN <- LAN

??
October 03, 2025, 05:04:23 PM #3
Not exactly - the direction is from the interface's Point of view. It is explained in the documentation.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
October 03, 2025, 09:33:48 PM #4
Quote from: meyergru on October 03, 2025, 05:04:23 PMNot exactly - the direction is from the interface's Point of view. It is explained in the documentation.

To elaborate on that - as I wrote picture a little BSD daemon [1] sitting inside your firewall. When a client on LAN initiates a connection to "the Internet" the first packet the daemon sees is coming in from the LAN interface.

If you want to publish an internal server to be accessible from the Internet, the first packet is coming in from an arbitrary system on the Internet to the WAN interface.

You really need to picture packets and the interfaces they pass through.

[1] https://en.wikipedia.org/wiki/BSD_Daemon
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 08, 2025, 05:46:33 PM #5
Got it - thx :)
Print
Go Up Pages1
User actions