Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
LAN default deny rule - when there's an allow rule
« previous
next »
Print
Pages: [
1
]
Author
Topic: LAN default deny rule - when there's an allow rule (Read 15509 times)
putt1ck
Newbie
Posts: 27
Karma: 0
LAN default deny rule - when there's an allow rule
«
on:
February 21, 2019, 08:23:33 am »
Scratching my head over this one. Newly installed firewall, after rules added to restrict outgoing LAN traffic to a few ports, denies everything outgoing on the default deny rule - and continues to do so when an allow all rule is added back in at the top. The only LAN rule that is "working as expected" is the anti-lockout rule. Rules added to the WAN interface work as expected.
What circumstances could result in this scenario? All input welcome!
Logged
CloudHoppingFlowerChild
Newbie
Posts: 28
Karma: 4
Re: LAN default deny rule - when there's an allow rule
«
Reply #1 on:
February 21, 2019, 09:11:15 am »
Is there a rule to allow LAN subnet traffic to access services such as DNS from OPNsense or allow such queries to an external DNS server?
How is outbound NAT configured?
Is a gateway specified in the rule(s) that allow LAN subnet traffic through to the WAN?
«
Last Edit: February 21, 2019, 09:13:16 am by CloudHoppingFlowerChild
»
Logged
putt1ck
Newbie
Posts: 27
Karma: 0
Re: LAN default deny rule - when there's an allow rule
«
Reply #2 on:
February 21, 2019, 10:45:56 am »
Thanks for your response
DNS is being provided via the Unbound service and that works fine -oddly, as during testing the specific DNS rule was disabled, so presumably it's the allow all rule that is allowing DNS queries to the firewall; suggests that issue is with traffic through the firewall from LAN devices.
Outbound NAT is set to Automatic.
None of the LAN rules set a gateway; there's 2 gateways configured, one to route to an internal separate subnet and the default one to the ISP router. The only active LAN rules right now are IPv4 and IPv6 allow to any (as well as the built-in anti-lockout and of course Deny All!)
Logged
putt1ck
Newbie
Posts: 27
Karma: 0
Re: LAN default deny rule - when there's an allow rule
«
Reply #3 on:
February 21, 2019, 11:35:00 am »
Additional info: if I modify the LAN "allow any" rule to be TCP only, the DNS queries are not allowed, and resume if I set it to TCP/UDP; so the issue must be in some sort of internal routing rule - traffic *to* the firewall on LAN interface is being managed by the "allow any" rule as expected, just traffic through that is being denied.
Logged
chemlud
Hero Member
Posts: 2481
Karma: 112
Re: LAN default deny rule - when there's an allow rule
«
Reply #4 on:
February 21, 2019, 12:19:27 pm »
...reset to factory or start from scratch with a fresh install. Anything else looks like a complete waste of time... ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
putt1ck
Newbie
Posts: 27
Karma: 0
Re: LAN default deny rule - when there's an allow rule
«
Reply #5 on:
February 21, 2019, 07:18:02 pm »
<250 mile drive later...>
A factory reset sounds like an option, except I'll lose connection to the device which is the other end of a long drive (not left the site unconnected, using a spare IP for its WAN connection). What's the next best option?
Logged
CloudHoppingFlowerChild
Newbie
Posts: 28
Karma: 4
Re: LAN default deny rule - when there's an allow rule
«
Reply #6 on:
February 21, 2019, 09:07:14 pm »
<internal frustration after having composed a post and now having to recompose after clicking the wrong button in my browser>
I would suggest setting a gateway in the LAN firewall rule(s) intended to permit traffic through the WAN connection.
I would also suggest careful review of the automatic outbound NAT rules. I remember making a pained and confused expression when I first looked at the automatically generated outbound NAT rules, right before I wiped them out and manually created my own outbound NAT rules.
Here is an example from my primary LAN subnet on my home router. Sorry for the small print, I had to zoom out to screenshot it all at once.
I have separate rules for IPv6 traffic and other stuff but this should give you a good starting reference for something that works.
«
Last Edit: February 22, 2019, 12:03:14 am by CloudHoppingFlowerChild
»
Logged
putt1ck
Newbie
Posts: 27
Karma: 0
Re: LAN default deny rule - when there's an allow rule
«
Reply #7 on:
April 30, 2019, 04:38:33 pm »
A quick somewhst delayed note to say thanks and the adding of the specific gateway resolved the issue.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
LAN default deny rule - when there's an allow rule