OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • No option to setup rule for LAN > WAN
« previous next »
  • Print
Pages: [1]

Author Topic: No option to setup rule for LAN > WAN  (Read 1703 times)

tomclewes

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
No option to setup rule for LAN > WAN
« on: March 24, 2020, 09:06:46 pm »
Setup:
1. Virtualised OPNsense  router
2. Version = 20.1.3-i386
3. Sat behind a router so has a private IP for it's WAN address

Either i'm being absolutely blind or firewall creation is not as intuitive as it could be.

I have a virtualised OPNsense router for my lab at home which is sat behind my ISP router. The ISP router does the routing to the WWW and the OPNsense router has a private IP for it's WAN address.

Clients are able to access the internet when I set the destination as '*' - e.g. on LAN interface. Obviously this also grants 'Any' access to other vlans / interfaces I have setup.

Looking online I see various conflicting advice with most people advising to just use '*' which is wrong and shocking that people think that this is the answer.

Initial thoughts was to use the WAN Net or WAN Address alias's but from looking online this only permits to either the WAN address of the OPNsense or the WAN Network (e.g. WAN Network subnet).

On pretty much all other firewalls, you would create a LAN > WAN > HTTPS > ANY (From Zone > To Zone > Service > Destination) rule. Unfortunately this logic does not seem to apply on OPNsense.

As a temporary measure I have put the (*) rule in place to grant internet access but I would like this locked down.

I have tried playing with the direction setting on both the LAN and the WAN interface firewall rules but can not get the correct behaviour.

I have looked across various forums but have not had much luck but have found that people have done the following:

Create an alias of private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), set that alias as the destination in the firewall then invert the destination

The above seems clunky and is surely not the solution that the developers intended for us to use.

Does anyone know what the 'best practice' rule should look like to permit  LAN > WAN > HTTPS > ANY (From Zone > To Zone > Service > Destination) without giving access to everything else with the dreaded (*)

Thank you in advance  :D
Logged

johnsmi

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 9
    • View Profile
Re: No option to setup rule for LAN > WAN
« Reply #1 on: March 24, 2020, 09:51:46 pm »
Quote from: tomclewes on March 24, 2020, 09:06:46 pm
Create an alias of private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), set that alias as the destination in the firewall then invert the destination

The above seems clunky and is surely not the solution that the developers intended for us to use.
I'm not sure. It makes perfectly sense, why should developers intend something different?



What's the problem with "allow from LAN to NOT-local ..."? "Internet" is "NOT-local". WAN is usually "Internet", with doubleNAT WAN is "Internet + some local net".

Instead of
Code: [Select]
allow "NOT rfc1918" https
You could use
Code: [Select]
block rfc1918
allow any https



If you need acces to WAN/DMZ/...
Code: [Select]
allow 192.168.123.0/24 https
block rfc1918
allow any https

Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • No option to setup rule for LAN > WAN
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2