Re: Multi WAN (was DoT in combo) - allow dpinger in firewall?

[mimugmail]

Your screenshot looks strange, you allow inbound DNS and ntp on WAN??

[lar.hed]

No I do not - it is OUT going ONLY. I have no IN rules at all.

[lar.hed]

I was not at my PC at my previous response, here is two screenshots on DNS and NTP rules detail.

[lar.hed]

For the fun of it I decided to put my new OPNsense (WAN_FTTH) router inside the ASUS firewall, and allowed all ports open in/out on the IP that the OPNsense firewall got. This shut down dpinger of course, and I lost WAN_FTTH interface = status offline. I then added ICMP packet typ 0 and 8 (which is Echo Reply and Echo) - and the result is that my WAN_FTTH interface got status = online.

So dpinger needs Echo (=ICMP packet type and Echo Reply (=ICMP packet type 0) to work. I now know what to filter for in OPNsense - I thought...

...so I am still working on what I do wrong here...

[lar.hed]

Okay, can not work around this challenge...

All below is tested on my backup WAN interface, the WAN_LTE interface. Also, for all testing below there are NO block rules enabled! The ONLY rules I am testing is "allow out" kind of rules to try figuring this out...

If I add a rule that allows ICMP <any> out - dpinger will stop working.
If I add a rule that allow <any> protocol <any> everything out - dpinger will stop working.
Add a rule that allows HTTP / HTTPS / NTP / DNS / port 853 (DNS-over-TLS) out - dpinger works perfect.

So adding a ICMP or allow anything out rule stops dpinger. I can not do this wrong, there got to be something else involved here that I simply put don't understand. Adding a allow all everything out rule should not stop dpinger from working. And dpinger, since it is internal, is not supposed to be stooped anyway or?

[mimugmail]

Normally you dont need allow Rules for outgoing packets, everything initiated from the Firewall is allowed, incl dpinger

[lar.hed]

Okay. I understand. I think. Might need a night to sleep on it...

How should I then do whitelist everything that is allowed to exit from OPNsense? it sounds like that is impossible?

On 20.1 I got this working the same way I am trying now. Has something changed to 20.7?

[lar.hed]

Right, so I can ONLY control what is send/received on for example the LAN interface - but I have no way of controlling what goes thru the WAN interface? Have I got this correct?

[mimugmail]

You can control more or less everything, but maybe the concept is mit clear. Just give me an example with source and destination what you want to block

[lar.hed]

I think I can do better, I will (try to) draw a sketch that describes how I imagine my installation of a firewall.  Just need a few moments.....

[lar.hed]

Btw I am not sure, but it feels like there is something not working on filtering on WAN interface. Since I had the problem with ICMP above, I decided to test the "rest". So I constructed a rule that allowed HTTP. Only one rule, and that was HTTP out pass. Nothing really happened. So I decided to add a rule for HTTPS out pass = internet dead - now again, I added an allow rule (pass) and I got a block rule.... Disabled that HTTPS rule = internet online again.

So from the looks of it, adding a rule, pass or block, will ALWAYS result in a BLOCK rule no matter what?!

I am pretty sure this worked in 20.1 - but it does not work in 20.7 - so something has changed?

[mimugmail]

Maybe it worked with 20.1 cause of a coinncidence. Really, I never Had to use Rules with direction outbound, never.

[lar.hed]

Well I have such a case - now there are more ways to handle what I now describe, so....

I use a software, LMS - Logitech Media Server, and for some (very uggly) reason it like so send stuff on port 9000. Like broadcast style. A very easy way to solve this is to simply block port 9000 on the (ex. LAN) interface that the LMS server is connected to. And it will for sure do the trick. I hope since I have actually never tried that on OPNSense...

Now this is how I have it on my ASUS router (it has a LAN-to-WAN netfilter GUI part, where one can choose blacklist or whitelist any TCP/UDP traffic (and ICMP)): I only run whitelist, port 80/443 and that is it. This works, since well it is like in OPNsense, you have no control of the WAN interface. So since the ASUS router handles all DNS requests on port 53 (or 853) - well I do not need to handle that since that is after LAN-to-WAN firewall so to speak. The same way it goes in OPNsense.

And this is where I am trying to improve. I would like to have that extra control of what actually leaves the WAN port(s), dead 100% control. Not only LAN (WORK, or what ever) rules but that extra last line of "defense".

And as I wrote I did have this up and running in 20.1 since I have screendumps on all my old 20.1 firewall rules, and Multi-WAN btw (what did not work on Multi-WAN in that hardware was gateway switch - it only worked from WAN-FTTH most likely since I used wrong gateway in my rules - yes my mistake). And I could use my work-PC for sure thru that OPNsense firewall. The same rules on 20.7 = internet blocked.

Now if my interpretation is correct, this is simply not possible (anymore?). We all assume that OPNsense is 100% safe att all time. Right? Since OPNsense always has 100% possibility to do what ever it likes - it is the firewall after all?

Don't get med wrong here, OPNsense is superb - it is just that last line of defense that used to work that now simply put does not work.

[mimugmail]

You still didnt post IPs and direction

[lar.hed]

Sorry, yes still trying to find enough time to draw that drawing I have in my head, on the right computer on top of all. This seems to be an issue for me, always working from home, but on the wrong computer....