Block all but allow WAN/internet access

[gladston3]

Hi,

I have multiple LAN/opt ports and would like to keep them isolated from each other but allow WAN/internet access on all of them. So my plan was to create a block all rule for each LAN/opt port and put a rule above which allows the WAN/internet traffic. Unfortunately I was unable to create such a rule. It didn't matter what I tried I wasn't able to access the internet. Can anyone please guide me or give me a hint how to do that?

I know that I could make a allow all rule and put the block rules for each subnet above that, but that becomes quite unhandy when you have multiple ports/networks. So I want to avoid that approach.

Thank you very much in advance
Cheers
-gladston3

[JasMan]

Hey gladston3,

There's no need for an "block all" rule to block traffic between the LAN ports. The default blocking rule of the firewall will block the traffic between your different subnets if is not explicit allowed by an rule.

To access the Internet you need to configure NAT for each subnet first.

Then you will need some allow rules for each service and subnet you would like to allow.
You can use floating rule to create one rule e.g. for HTTP(S) to WAN for all your LAN interfaces.
Choose the WAN gateway to allow this traffic only for WAN. Otherwise it will also allow HTTP(S) between your subnets.

Don't forget to allow also DNS for the clients. If your OPNsense is your DNS server, allow DNS to the firewall. Otherwise allow DNS to the Internet or only to one server e.g. 8.8.8.8.

Jas
 

[gladston3]

Hi, thanks for your answer!

Hey gladston3,

There's no need for an "block all" rule to block traffic between the LAN ports. The default blocking rule of the firewall will block the traffic between your different subnets if is not explicit allowed by an rule.

okay, understood.

To access the Internet you need to configure NAT for each subnet first.

Do you mean outbound NAT rules? Those are set automatically in the default settings, aren't they?

Then you will need some allow rules for each service and subnet you would like to allow.
You can use floating rule to create one rule e.g. for HTTP(S) to WAN for all your LAN interfaces.
Choose the WAN gateway to allow this traffic only for WAN. Otherwise it will also allow HTTP(S) between your subnets.

That's where I am struggeling. What do I have to put at "destination" so WAN traffic is allowed? The only option with which I got it working was "any" and that's definitely not what I want. Can you maybe show me a sample rule for HTTPS or any other service?

Thanks once again
Cheers
-gladston3
 

[JasMan]

Do you mean outbound NAT rules? Those are set automatically in the default settings, aren't they?

Yes, you're right. In standard OPNsense generate those rules by itself. I missed this point because I've set it to "manual" to have full control over the settings. But I'm not sure how the standard NAT is working. I mean, how recognize the OPNsense which adatper is WAN and which LAN and where he has to do NAT? Maybe you should check if OPNsense has created the necessary rules.

That's where I am struggeling. What do I have to put at "destination" so WAN traffic is allowed? The only option with which I got it working was "any" and that's definitely not what I want. Can you maybe show me a sample rule for HTTPS or any other service?

There's no firewall object for Internet hosts. But you can create an alias with all privat networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), add it as destination in your rule and invert it. That's how I did it. Works fine.

[gladston3]

There's no firewall object for Internet hosts. But you can create an alias with all privat networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), add it as destination in your rule and invert it. That's how I did it. Works fine.

Ahh, that's what I was looking for. Brilliant idea which I would have never figured out by myself since it's a little bit complicated/counterintuitive imho.

Nevertheless, thanks a lot! That did the trick

Cheers
-gladston3