Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Filter Rules by controlling output interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: Filter Rules by controlling output interface (Read 3404 times)
Lejaune
Newbie
Posts: 2
Karma: 0
Filter Rules by controlling output interface
«
on:
March 31, 2019, 10:40:46 am »
Hi all,
Im searching for a solution on OpnSense to filter traffic by controlling the physical output interface.
My platform for test :
I want from my
LAN_1
ping
ANY
on the
WAN
but i don't want to ping the
LAN_2
.
I can do this with 2 rules on OpnSense :
Drop ICMP from LAN_1 to LAN_2
Authorize ICMP from LAN_1 to ANY
But i''m searching for a solution with only 1 rule.
For example, if i use Debian with forwarding, i can use iptables to do this with only one rule :
iptables -A FORWARD -p ICMP -i ens34
-o ens32
-s 192.168.10.0/24 -j ACCEPT
With this rule, i can control the physical outside interface where the traffic is redirect (in orange the option).
Thank you
Lejaune
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Filter Rules by controlling output interface
«
Reply #1 on:
March 31, 2019, 12:43:57 pm »
I'm almost sure it's not possible to check both incoming and outgoing interface to make a rule-based decision.
There is tagging support and you can filter in and out in two rules, but I think you need "match" feature for this which doesn't exist in FreeBSD pf(4).
Cheers,
Franco
Logged
mitsos
Newbie
Posts: 47
Karma: 9
Re: Filter Rules by controlling output interface
«
Reply #2 on:
March 31, 2019, 11:40:44 pm »
Rule on LAN1: Source LAN1 subnet
Destination: tick (=not) + the LAN2 subnet
That means ICMP packets destined for anything other than LAN2 get accepted. Adjust to the protocols/ports you want to filter.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Filter Rules by controlling output interface
«
Reply #3 on:
April 01, 2019, 09:03:54 am »
True, you can filter by subnets, but it's not a 100% substitute for filtering incoming and outgoing devices. At least the expectations need to be managed.
Cheers,
Franco
Logged
Lejaune
Newbie
Posts: 2
Karma: 0
Re: Filter Rules by controlling output interface
«
Reply #4 on:
April 05, 2019, 04:15:51 pm »
Thanks for the answer !
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Filter Rules by controlling output interface