Wan subnet ips firewall ?

[szurubooru]

Hello i have succesfully installed opnsense
i access the gui using LAN
and i have configured WAN and enabled DHCP

now the thing is my Wan subnet is not protected
for example if i create a windows RDP, its by default accessible
how can i create a rule for my leased ip so i can allow and block ports ?

i am very new to networking and stuff

[szurubooru]

Bump

[Vilhonator]

It is normal.

Devices in same network can communicate with eachother freely unless you go to Windows firewall and restrict LAN access to that PC.

First of all make sure that Opnsenses LAN interface has static IP (image 1, you can set "Speed and duplex" to auto, I have it set to 1Gb because I much rather set stuff manually on LAN side of things)

Next make sure WAN IP is set to DHCP (Image 2)

Then check that LAN has DHCP service enabled (image 3, ignore the IPs on the image, it needs to correspond to IP of your LAN. IP range by default is 192.168.1.100 - 192.168.1.254/24. This is important, IP range needs to belong to same network as LAN.)

If all are like that, it means you have setup opnsense correctly. Easiest way to do this, is to use console on opnsense, so attach monitor and keyboard to opnsense, press enter or reboot system, login as root and choose option 2 "set interface IP address" type WAN interfaces number and choose Y when it says "Configure IPv4 address WAN interface via DHCP? [Y/n]" same to IvP6 and N to "revert https" (image 4)

[Vilhonator]

Next same thing as with WAN interface, except select LAN interface and don't select Y when it asks if you want to Get IP for LAN from DHCP (image 2.1 pretty much, once again I have configured the IP and DHCP myself, so DHCP and LAN IPs are different from default values, but subnet mask is same as default. You can copy mine if that's easier for you, just remember it will change your LAN IP, so web gui address is https://172.16.1.1 if you copy mine LAN settings)

After that use your web browser, type LAN IP to address box and log on to opnsense. You should be in lobby (image 2.2, yea I know, care bears. GOTTA LOVE 'EM).

Select "System" -> "Access" -> "Users" and click "Add" box (image 2.4)

[Vilhonator]

Type new user name give it a password, select admin group, leave rest to their default values, scroll down to bottom and click "save and go back"  (image 3.1)

Log out from and login using your new user, go to "system" -> "Access" -> "Users" and select small edit icon next to root (Image 3.2)

Check box which says "Disabled" scroll down to bottom and select "save and go back" (image 3.3).

Now you have done slightly more secure setup. Root user should be disabled, because it is Root and default credentials can be found from google. HTTPS connection also use encryption, which means outsiders can't see login information in plain text.

Next comes more dificult part. On PC which you want to connect to via RDP, Open windows firewall with advanced security (hit windows key and type "firewall" in your language if other than english), select "Inbound Rules" Filter by group and choose Filter by: Remote desktop from the list, double click rule, click "Scope Tab" on local computers, check "These IP addresses and add the local IP address of the PC you want to connect from. Rince and repeat for each rule (image 3.3)

If you don't know (or you changed the LAN IP to same as mine), then on connecting PC open command prompt (hit windows key and type "cmd") and type "ipconfig" hit enter (image 3.4).

There, now only Local ip specified on windows firewall is only local IP address which can make RDP connection to your target PC.

That should work but if you want to have access to RDP computer outside it's Local network, you need to setup port forwarding on Opnsense.