Source & destination network options of firewall rules

Started by alexroz, August 25, 2020, 08:34:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2020, 08:34:47 PM Last Edit: August 25, 2020, 08:38:01 PM by alexroz
There are some network options available as a source or a destination while creating firewall rules:
Networks

  • any
  • This Firewall
  • LANx address
  • LANx net
  • Loopback net
Thous terms may sound obvious for some people, but I am struggling to grasp their true meaning.
For example LANx address and LANx net networks sounds the same for me.
Can anyone point me to some documentation clearly explaining these options?
August 26, 2020, 05:10:21 AM #1 Last Edit: August 26, 2020, 05:13:22 AM by marjohn56

I'll try

       
  • any - Any address, used in the context of a source address for rule, for example, you run a webserver, any address could be the source of the connection to your webserver. Used in the context of a destination, i.e. a LAN rule would allow any to any would allow a lan client to connect to any address.
  • This Firewall - An address that is specific to your firewall, the WAN, LAN, loopback ( 127.0.0.1 )
  • LANx address - a single address e.g. 192.168.1.1 on your LAN
  • LANx net - the entire subnet e.g. 192.168.1.0/24 or all of the addresses on the LAN segment in question
  • Loopback net - 127.0.0.0/8 or all loopback addresses
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 26, 2020, 05:07:48 PM #2
Quote from: marjohn56 on August 26, 2020, 05:10:21 AM
LANx address - a single address e.g. 192.168.1.1 on your LAN
Thank you marjohn56
But I still doesn't get the LANx address part...
LANx address isn't any particular IP address. Right?
If it is a set of all available addresses on a given net - how does it differ from LANx net, as long as a net includes all its addresses?
I understend that a net & a address can't be the same even based on following example https://docs.opnsense.org/manual/how-tos/guestnet.html#block-local-networks
But how do they differ?
August 26, 2020, 05:45:00 PM #3
LAN = Local Area Network. You can have more than one. Here's part of my drop down list.





As you see I have multiple 'LANs', so therefore multiple LAN addresses and LAN nets.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 26, 2020, 05:47:08 PM #4
A LAN address is a single address i.e. 192.168.1.100 - LAN Net means all the addresses in that LAN segment, from 192.168.1.0 to 192.168.1.255.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 26, 2020, 05:54:52 PM #5
Perhaps a practical example will help, I have 3 VLANs and a management LAN, all of them are LANs. Now, one of my VLANs is called IOT, that has all the things like webcams, doorbells, Amazon echo units etc etc. The main VLAN is QPVLAN, I don't want everything on the IOT LAN able to get to the QPVLAN, so I have a block rule that uses IOTVLAN net, i.e. anything in that VLAN is blocked from my QPVLAN; but, there is one device in there that I do want to allow access, so there is another rule, above the block rule which allows a single address on the IOTVLAN access to the QPVLAN, so the rule uses IOTVLAN address, and I enter the address of the device that is allowed. Inversely, anything on the QPVLAN, so I use QPVLAN net can access anything on the IOTVLAN.


If we did not have the ability to use LANx NET, and I wanted to block all of the devices on that LANx, I would have to enter 256 rules, one for each address!


Now does it make sense?
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 26, 2020, 06:26:59 PM #6 Last Edit: August 26, 2020, 08:04:06 PM by alexroz
Can you explain how does this rule work?
Pay attention to the destination....

(Source: https://docs.opnsense.org/manual/how-tos/guestnet.html#block-local-networks )
August 26, 2020, 08:49:37 PM #7
This is for a captive portal setup. Where it refers to the GUESTNET address, that is the address of the Opensense GUESTNET interface. I think I can see where that's confused you, and it's probably my fault. I was referring to a LAN address not the actual Opnsense LANx address. So for example if the address you had set on the Opensense LANx address was 192.168.1.1, it would be that address.


Sorry for the confusion, I hope that clears it up for you.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 26, 2020, 10:57:28 PM #8 Last Edit: August 26, 2020, 11:02:31 PM by alexroz
OK I fill like I finally got it.
According to pfSense related sources:

  • LAN address: LAN interface IP address of corresponding firewall interface (e.g 192.168.1.1)
  • LAN net: LAN network and other static routes configured on that interface (range of all available addresses for e.g 192.168.1.0/24)
These make your life easier because, if an address/network changes, you won't have to alter the rule as the rule will be automatically updated to match the new address(es).
Sources:
August 26, 2020, 11:21:12 PM #9
Good... Those explain it better than I did.  :)
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
Print
Go Up Pages1
User actions