Firewall rules not working

Started by Senjuu, March 08, 2019, 10:33:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2019, 10:33:39 AM Last Edit: March 08, 2019, 10:58:04 AM by Senjuu
I recently switched to OPNsense.
I now setup some firewall rules for LAN, but  they are not working as intended.

My rules are in this order


ActionProtokollSourcePortDestinationPortGatewayScheduleDescription
PassIPv4 TCP/UDPLAN net*Ali443*Allow Https of Ali
PassIPv4 TCP/UDPLAN net*Ali80*Allow Http of DMZ
RejectIPv4 *LAN net*DMZ net**Deny everything else in DMZ
PassIPv4 *LAN net****Allow Internet
PassIPv6 *LAN net****Allow Internet

"Ali" is an alias to an URI(IPs) within DMZ and DMZ is a third network interface.
The rules result in me being able to surf in the internat, but not acces the Web-Server running on "Ali".
But when I disable the third rule I am able to access the Web-Server running on "Ali".

Now I am not understanding where I am going wrong.
March 08, 2019, 10:44:57 AM #1
Check firewall --> log files --> live view, if you want setup a filter to your DNS address, and connect again. Then you'll see whether opnsense blocks or something else is wrong. Is the DMZ host actually using opnsense as a gateway to get the traffic back?
March 08, 2019, 10:56:26 AM #2 Last Edit: March 08, 2019, 11:04:22 AM by Senjuu
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.
March 08, 2019, 11:22:13 AM #3
Quote from: Senjuu on March 08, 2019, 10:56:26 AM
Yes it is sending the traffic back as I stated, that I can access if I disable the reject rule.

When the reject rule is active the label says "USER_RULE" and the interface is LAN.
When the reject rule is disabled the label says "let out anything from firewall host itself" and the interface is DMZ.

I just re-read your post, and I can't see you state DMZ can actually send back. For test, what happens if you replace the Ali alias with the actual IP? Please check in firewall --> diagnostics --> pftables and select the ALI alias. Check if there's actually any hosts in there. Just to be sure, did you put IP's or FQDN's in the alias?
March 08, 2019, 11:36:16 AM #4 Last Edit: March 08, 2019, 11:39:24 AM by Senjuu
In the alias I put the IP. In the pftables there was notinh in the "Ali" Alias. After I added the correct IP in the pftables the rules are now working.

But what type shall I select when adding an alias in Firewall => Alias, so that it is correctly added to the pftables.

March 08, 2019, 08:44:30 PM #5
Through a coincidence I found which type of alias I should have used.

I should have used "Host(s)" instead of "URI(IP)".
Print
Go Up Pages1
User actions