Newbie Questions About Firewall Rules

[OzTechGeek]

Hi All

I’m new to OPNsense coming from Ubiquiti EdgeRouter and wanted to test out OPNsense (Virtualized), I have everything installed (20.1) and setup with the basic configuration, now I want to re-create the firewall rules I have on my EdgeRouter in OPNsense and have some questions, and am looking for some guidance/advice if possible.

Some background, this is for my home network, I live in a rural area so internet access it limited and I’m using a hotspot, so with this configuration I have strict rules on my EdgeRouter:

1. Block everything from the LAN/VLANS to the WAN (Internet)
2. Then I selectively allow specific devices and ports to the WAN based on Host Groups and Port Groups,         

So I re-created all my Hosts, Network and Port Aliases that I have on my EdgeRouter in OPNsense (BTW what a PITA that there is no shell command interface for creating these, took me a while doing it via the GUI as I have a lot )

After much reading (still reading) I have come to the conclusion that how EdgeRouter and OPNsense do firewall rules is a lot different, so I have to start from scratch, the thing the continues to confuse me is the “Floating” rule but after some more reading at this point I’m going to call the “Floating Rules” - “Global Rules”, i.e. Rules you can apply to multiple interfaces/groups/vlans at once.

That all been said, I tried to create my first 2 rules and wanted to do a sanity check to make sure what I’m understanding/doing is correct.

1. Block outgoing DNS requests from any internal interface going to the internet
2. Allow outgoing DNS requests from any internal interface going to my internal DNS server (AD)
3. Allow my internal DNS server (AD) to send DNS requests to specific internet DNS hosts (Currently Google DNS)
4. Redirect requests from any interface for DNS to my internal DNS server only

I think I have #1, #2 and #3 created correctly not sure how to do #4 (on EdgeRouter it’s done via a DNAT)

I created a “Group” for my LAN, and 5 test VLANS (VLAN10, VLAN20, VLAN30, VLAN40 and VLAN50) and put them in an interface group called “ALL_LAN”

Created “Aliases”
Hosts: H_Internal_DNS (IP of AD server)
Hosts: H_External_DNS (IP of Google DNS Servers)
Ports: P_DNS (53)

“Floating Rule”

Code: [Select]

1. Allow AD DNS to Internet:
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN Out TCP/UDP H_Internal_DNS H_External_DNS P_DNS

2. Allow Any Internal Device/Network to AD DNS
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN In TCP/UDP Any H_Internal_DNS P_DNS

3. Block Any Internal Device/Network from Internet DNS
Action Interface Direction Protocol Source Destination DPort
Block ALL_LAN In TCP/UDP Any Any P_DNS

I'm not not sure how I would create the rule/NAT for redirecting any DNS requests from “ALL_LAN” to my Internal AD DNS

I also have another rule same as above but for NTP, and have the same issue

Is using “Floating” rules the correct place to create these types of rules, where I want to rule to apply to all interfaces, or should I use the “ALL_LAN” interface for these types of rules instead

I read that “Floating” rules have priority 1, then Group Interfaces have priority 2, then last is the actual interfaces themselves, is this correct?

Also am I correct in what I read that you can apply both IN and OUT rules on the interfaces itself and that is no longer is the interface an IN only rule?

I also have a question about my normal firewall rules, but will wait for a response to this question before adding another question to the list

Thanks for any help or time you all can offer.

[OzTechGeek]

For those interested I think I have figured out all 4 of the below . #4 was figured out using this post https://forum.opnsense.org/index.php?topic=9245.0

1. Block outgoing DNS requests from any internal interface going to the internet
2. Allow outgoing DNS requests from any internal interface going to my internal DNS server (AD)
3. Allow my internal DNS server (AD) to send DNS requests to specific internet DNS hosts (Currently Google DNS)
4. Redirect requests from any interface for DNS to my internal DNS server only

Since the NAT created a linked rule under the "ALL_LAN" group I decided to move my rules from "Floating" to the "ALL_LAN" group instead to keep everything together, the only rule I currently have in "Floating" is my "Block All IPv6" rule.

ALL_LAN Rule:

Code: [Select]

1. Allow AD DNS to Internet:
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN Out TCP/UDP H_Internal_DNS H_External_DNS P_DNS

2. Linked rule created via the NAT
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN In TCP/UDP Any H_Internal_DNS P_DNS

3. Block Any Internal Device/Network from Internet DNS (just in case)
Action Interface Direction Protocol Source Destination DPort
Block ALL_LAN In TCP/UDP Any Any P_DNS

Floating Rule:

Code: [Select]

Block All IPv6:
Action Interface Direction TCP/IP Protocol Source SPort Destination DPort
Block ALL_LAN, WAN Any IPv6 Any Any Any Any Any


1. Block everything from the LAN/VLANS to the WAN (Internet)
2. Then I selectively allow specific devices and ports to the WAN based on Host Groups and Port Groups,         

I also created the following rules in each LAN/VLAN interface to by default block all traffic to the Internet

Code: [Select]

Action Interface Direction TCP/IP Protocol Source Destination DPort
Pass <Interface> in IPv4 Any <interface> net <interface> address Any
Block <Interface> In IPv4 Any <interface> net N_Private_Networks Any
Block <Interface> In IPv4 Any <interface> net Any Any

This system is not live yet so this is all theory right now I'm hoping to put the OPNsense firewall in production over the weekend , if I get approval from the family

Thoughts/Comments/Suggestions are welcome. Thanks