[Solved] Blocking a LAN device from WAN, device can still connect to WAN network

[dave79]

Hi all

So I have read this: https://forum.opnsense.org/index.php?topic=6471.0 along with a few other threads, but I must have something wrong in my config.

I have a single cheap Chinese camera (Reolink) which I want to block from WAN. I am only connecting to it via LAN, and figured the easiest way to stop the Chinese cloud would be just to block it from accessing the WAN altogether.

What I have done:

1. Setup camera using app, static IP, enforced with MAC via OPNsense
2. Make an alias with just that IP in OPNsense
3. Disconnect my phone  from wifi, thus requiring a cloud connection - I can connect to the camera as expected
4. Add firewall rule blocking anything from that alias to WAN net
5. Try to connect to the camera again via app - it still connects, expected behavior is that it should not

My rule is in: Firewall > Rules > LAN

Attached are screenshots of my config.

What am I doing wrong?

[gpb]

Add the rule to your LAN inteface and block it inbound (outbound should work too)...destination is not needed.  Test and see if that's what you need.

[dave79]

Thanks for the reply, do you mean as in the attached screenshot? It's still not blocking the connection.

[gpb]

Try not using the alias, just add the IP address directly in the rule (scroll to the top of the list in the drop down for source).  Make sure the IP address is correct...also try turning on logging to see if it is blocking (just in case).

[dave79]

Ok, setting to the attached worked, but also blocked every other LAN device from accessing WAN... 

Surely a firewall shouldn't be this nonsensical? How does specifying just one IP block other devices?!

[gpb]

It should be /32 for a single host, not /16.

[dave79]

Ah! That's got it, thanks! I thought the subnet would be the same as under the DHCP settings, but I think I get why it shouldn't be.. It was restricting every IP on the same subnet as the specified IP.

Out of interest, do you know why this rule is functioning correctly with the direction set to 'in'? I can't get my head round that. There's no traffic coming into LAN, it's already within it... or is this a total misconception?

PS. I was going to karma all your posts but apparently I need to wait 1 hour between

[MrB]

Out of interest, do you know why this rule is functioning correctly with the direction set to 'in'? I can't get my head round that. There's no traffic coming into LAN, it's already within it... or is this a total misconception?

From the firewalls point of view everything is on the outside, ie. packets from LAN must come IN before going OUT on the WAN side.

[gpb]

Ah! That's got it, thanks! I thought the subnet would be the same as under the DHCP settings, but I think I get why it shouldn't be.. It was restricting every IP on the same subnet as the specified IP.

Yep.  You can think of the CIDR notation as indicating what part of the blocking you want to wildcard.  /16 would be 192.168.*.* in this case.  /32 means you want that entire IP address and only that IP address (no wildcard).  That's a bit of a bastardization of CIDR in my explanation, you can read up on it if you want.

Out of interest, do you know why this rule is functioning correctly with the direction set to 'in'? I can't get my head round that. There's no traffic coming into LAN, it's already within it... or is this a total misconception?

Just like @MrB said.  The interface if where traffic enters for routing...IN LAN, OUT WAN (best to block on the IN).  Also, "WAN net" is not the internet, a common mistake.

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html

You might find your camera isn't able to keep time, because blocking it from the internet will block it's NTP queries (assumption here).  You can put an exception in to allow that traffic outgoing, port 123.  Or you can turn on the NTP server on your OPNsense firewall and let it service NTP queries (you'll need a NAT rule to route all port 123 to localhost 127.0.0.1 or "this firewall" option might also work).  If you like to tinker, then these are things you can check out.  Also your initial attempt at the alias, you probably wanted to choose host and not URL...just for future reference.

https://docs.opnsense.org/manual/aliases.html

Cheers.

[dave79]

Thanks both very much for the help, you've explained it perfectly to me Will have a read up on those links too.

Good point on the network time gpb, another option I thought of is spinning up a small NTP docker container on my server.

Thanks again both!

Edit: Just changed the alias to host and the rule back to alias and that works perfectly too. Muchas Gracias.