Host on DMZ can contact host on LAN despite rules [SOLVED]

[Callahan]

Hi,

I have a 2 interface box, LAN and WAN and a DMZ as a virtual interface configured as a VLAN hanging off the LAN interface. Rules are in place and all seems to be working well say for one thing, the only host on the DMZ (192.168.50.0/24) is my Linux Proxy Server sat at 192.168.50.2. I've allowed the DMZ to get anywhere except for the LAN (192.168.100.0/24), allowing the DMZ host out to the web but keeping it from getting inside my LAN other than to the specified ports/IPs of internal resources.

However, the DMZ host (192.168.50.2) can still mount NFS shares on my ReadyNAS (192.168.100.4) which makes no sense because it can't get to any other host on the internal LAN. I'm been fiddling with this for 4 hours and I can't make any sense of it. I've even disabled all the DMZ rules to see which one it was firing on. I could still access my NAS on the LAN. I don't see how any other rule can be allowing this as the host is in the DMZ.

There is nothing in the FW logs with the IP of my NAS in it despite switching on logging for every rule I have.

Totally baffled as to how this is happening. so if anyone has any suggestions, it'd be appreciated.

[utahbmxer]

What device is between the firewall and the devices on your network (proxy, nas, etc)?  I'm guessing you have a switch, and that switch is connected to opnsense via a "trunk" allowing both VLANs?  If that switch has virtual interfaces (if the switch has an IP in each VLAN), it's likely doing intra-vlan routing and the traffic isn't even touching the firewall.

That's my first thought anyways.

[Callahan]

Hi Utah,

Thanks for the reply. It's only a basic layer 2 switch. No IPs tied to VLANs/ports. The issue was (much like the result of many of my posts here), resolved myself about an hour or 2 after posting. It was down to my own confusion about the way interface rules work. I have years of dealing with Palo FWs and the concept of zones. I was having a hard time converting in my head how OPNSense was dividing up interfaces but now I'm thinking that the interfaces are essentially zones in their own way. For example, I initially thought that putting a LAN rule in that says LAN can get anywhere on any protocol, also meant I needed to add a rule to the DMZ interface to say that the LAN can get to any host in the DMZ. Not the case, the "allow anywhere" rule in the LAN has by rights, allowed hosts on the LAN into the DMZ (and any other interface). It's just a different way of thinking about it I guess but I'm getting there. :-)

working under the belief that the interfaces worked