[solved] Confused with default ruleset

abstan · January 03, 2020, 01:38:34 PM

Hi, I am just getting started with OPNSense 19.7.8 with a very basic setup: ISP box <WAN> OPNSense <LAN> PC.

If I create "Allow all in IPV4"+"Allow all out IPV4" rules on both LAN and WAN interfaces, PC can't get past OPNSense (can't ping ISP box for instance). I can't see any deny in the logs.

When I look at the auto generated floating rules, I see two rules called "block all targetting port 0", but both have "port *" for source and destination. So it seems logical these rules drop all traffic, looks like a bug ? Or is it just badly worded / bad display ?

Now if I create a floating rule "Pass all IPV4 in any direction", PC has full connectivity (can access ISP box / internet / DNS works). But this is not what I want obviously, and I don't even understand how this workaround works since this rule comes after the auto-generated ones. So if the "block all targetting port 0" rules were the issue, this workaround should not work ?

Any hint ?

chemlud · January 03, 2020, 05:57:09 PM

No idea what this "port 0" floating rule does, but same here and no problem with traffic (IPv4) going back and forth... :-)

Do you have a private IP on WAN and forgot to diasable "block private" on the interface, maybe?

abstan · January 03, 2020, 07:14:49 PM

I do have a private IP on WAN (in the ISP box subnet), and "Block private networks" + "Block bogus networks" are unchecked on LAN and WAN interfaces.

On LAN I have "auto detect" as the IPv4 Upstream Gateway, and on WAN the ISP box private IP.

I suspect outbound NAT is not working correctly since I don't see blocked packets, but not sure what to do differently. I have the default auto created rule in outbound NAT.

chemlud · January 03, 2020, 07:24:52 PM

Although it won't help for the moment: Delete all rules on your WAN interface, they are not needed and highly dangerous.

And while yo are on it: Delete the allow any rule on "floating" also, same mess and not needed.

How about a screen shot for the NAT settings?

Anything else you configured?

I would reset to "start" or do a fresh install, that should work OOTB (after disabeling the "block private" on WAN)...

Darkopnsense · January 03, 2020, 07:28:04 PM

Bonjour,

Firewall:rules : wan

ok

Firewall:rules:lan

modifie IPv4 * LAN net * * * * * Default allow LAN to any rule

Firewall:rules:floating

supprime la règle igb1

cordialement

abstan · January 03, 2020, 07:49:32 PM

Removing the rules on WAN just solved the issue... It now works without the floating rule. I don't understand why adding these PASS rules would restrict more than no rule, but I guess if it works...

Thanks for the help!

chemlud · January 03, 2020, 08:22:30 PM

Quote from: Darkopnsense on January 03, 2020, 07:28:04 PM
Bonjour,

Firewall:rules : wan

ok

No. DON'T ALLOW ANYTHING ON WAN (or floating). Except if you really know what you are doing. Or you can hook up your LAN directly to the internet and watch your machines get compromised within minutes with some bad luck (a raspberry pi with default password won't take longer than a few minutes before it's pawned).

[solved] Confused with default ruleset

abstan

January 03, 2020, 01:38:34 PM Last Edit: January 03, 2020, 07:50:05 PM by abstan

chemlud

January 03, 2020, 05:57:09 PM #1 Last Edit: January 03, 2020, 05:58:57 PM by chemlud

abstan

January 03, 2020, 07:14:49 PM #2

chemlud

January 03, 2020, 07:24:52 PM #3

Darkopnsense

January 03, 2020, 07:28:04 PM #4

abstan

January 03, 2020, 07:49:32 PM #5

chemlud

January 03, 2020, 08:22:30 PM #6