Firewall Rules not working?

[vanderflanken]

Good day everyone,
I freshly implemented OPNsense into my home network. Its running behind a Fritzbox 7590 and in front of several switches and LEDE Routers in switch/AP mode.
I'll give you a small drawing to visualize my setup:
https://ibb.co/XtXHSzT
I'm not the best when it comes to Visio, sorry.
On Fritzbox, I setup the OPNsense-box as exposed host as well I disabled all firewall features on the LEDE devices to not interfere with the OPNsense firewall.

So, on OPNsense I created some Aliases (lets have the example with Client 1, 172.16.16.23 and Client X, 172.16.16.122).
https://ibb.co/vYt761g - alias client 1
https://ibb.co/r4J2cGH - alias client 2
For example, on LAN interface, I don't want Client 1 to be able to connect to Client X.
Therefore, I created the following rule on LAN interface:
https://ibb.co/x620WV9

On client 2, I have a webserver running. So to my understanding, with this rule applied, I shouldnt be able to open the web application running on client 2 from client 1 via https. But in fact, I do.

So I wanted to check whats going on in Live View when spamming pings from c1 to c2: Pings are going through (which they shouldn't, I think) and live log actually shows nothing related to client 2 at all.
https://ibb.co/Q9kk9P5 -ping
https://ibb.co/fHb1LQ6 -live view
Hence, I think I have some major mistake in my setup, but right now I'm clueless as I'm quite new into the whole networking thing - still learning and thankful for any advices.

For any help I would be very grateful! Thanks!

[tong2x]

you may want to
check if the rules have been applied (no "apply" button in upper right)
check the "automatically generated rules, you have 9, maybe 1 is in conflict
is it safe to assume you have set IP as source 172.16.16.23/32 and destination 172.16.16.122/32

screen shot of the actual rule setting would be nice.

[hbc]

Are you running a transparent proxy? Then the webserver won't be accessed directly and your rule is not triggered, instead your proxy connects to your webserver.

In This case you would have to deny your webserver in proxy ACLs.

[vanderflanken]

Hey you two, thanks for your replies.

you may want to
check if the rules have been applied (no "apply" button in upper right)
check the "automatically generated rules, you have 9, maybe 1 is in conflict
is it safe to assume you have set IP as source 172.16.16.23/32 and destination 172.16.16.122/32
screen shot of the actual rule setting would be nice.

-Yep, the rules have been applied.
-I don't think any of the automatic rules should be conflict (screenshot attached). I can't delete/modify them anyway, can I?
- Subnet is /24, but yes. I also tried the rule(s) with IPs (172.16.16.23/24, 172.16.16.122/24) instead of aliases, didn't change nothing.

Screenshot: Firewall Rules: LAN
Screenshot of the actual rule

I also tried putting the OPNsense on LAN-side between the first switch and the LEDE router (172.16.16.17), but also no success.

Are you running a transparent proxy? Then the webserver won't be accessed directly and your rule is not triggered, instead your proxy connects to your webserver.

In This case you would have to deny your webserver in proxy ACLs.

Nope, not running a proxy of any kind - at least not that I know, unless the LEDE routers are doing this. But I thoroughly looked through the settings of these and didn't find anything like that.


Side note: I tried out some rules on WAN interface e.g. blocking Youtube and it worked for all clients. So it looks like rules are only not working on LAN interface for some reason.

[tong2x]

could you try set IP as source 172.16.16.23/32 and destination 172.16.16.122/32 in the your firewall rules for both
and try connecting if they could still see each other...

that does not answer why /24 was not blocked. but just to see if specifically setting the IP will not also.

you cold try to press "inspect", upper right and see if your rules is even being evaluated...

btw your opnsense server is 172.16.16.16, that is your local gateway? meaning opnsense is that one giving out LAN ip address (172.16.16.0/24)?

[vanderflanken]

could you try set IP as source 172.16.16.23/32 and destination 172.16.16.122/32 in the your firewall rules for both
and try connecting if they could still see each other...

that does not answer why /24 was not blocked. but just to see if specifically setting the IP will not also.

you cold try to press "inspect", upper right and see if your rules is even being evaluated...

btw your opnsense server is 172.16.16.16, that is your local gateway? meaning opnsense is that one giving out LAN ip address (172.16.16.0/24)?

set source and destination to /32, they can still connect. When I press Inspect, I have around 300 evaluations for that rule after ~2 minutes. When I checked earlier for the rule with subnet /24, the rule had around 7000 evaluations - not sure what that means, tho.

And yes, opnsense is 17.16.16.16/24, with dhcp4server running on the LAN interface - the clients in question have static IPs tho.

[tong2x]

by using /24 your actually blocking your whole subnet
that why it has alot of evaluations
but does not answer why the connections are not being blocked...

have you set each client machine to have the gateway of 172.16.16.16?
if they dont have a "gateway" it is possible that they are connecting "locally" via there static IPs

[vanderflanken]

by using /24 your actually blocking your whole subnet
that why it has alot of evaluations
but does not answer why the connections are not being blocked...

have you set each client machine to have the gateway of 172.16.16.16?
if they dont have a "gateway" it is possible that they are connecting "locally" via there static IPs

Yes, I specified all clients with static ip's in the same way:
Address: 172.16.16.xx/24, Gateway: 172.16.16.16, DNS: 172.16.16.

I noticed something interesting: Earlier this morning I updated OPNsense and eversince then my rule is popping up all the timein live view:



I got several question marks about this: Why is the rule triggered the whole time, why is destination=172.16.16.16 and most of all why is it triggered when the destination of the packet doesnt match the destination ip address specified in the rule?
I get more and more lost about this.. 

[tong2x]

port 53 is for dns request
it is allowed in automatic rules

try this, create a rule
sourceip 172.16.16.23/32
port any

destinationip any
port any

check if 172.16.16.23 will have zero access to internet and any local machine