What IP is "This Firewall" and so on - anyone care to expand on how this?

lar.hed · November 30, 2020, 08:13:42 AM

When I add a new firewall rule, I get the choice of a few pre defined variables which i have never found the correct definition for. In my case, for the moment I might add, I am using 4 (out of 8 ) ports (interfaces) on my OPNsense firewall hardware:
LAN - 192.168.1.1
WAN_FTTH - DHCP ISP
WAN_LTE - DHCP ISP
WORK - 192.168.2.1

As one might assume I have Multi WAN setup, with failover from WAN_FTTH to WAN_LTE when the fiber fails (I did not expect this to happen, but so it has twice for the last 12 monts....).

So I have a rule on LAN and WORK to redirect DNS (port 53) to local DNS. Now this is where I started to (over-) think this. What am I to enter into the Destination field? First thought was "This firewall" and well it does work. On both LAN and WORK, then for some reason I started to think (again) and changed it to the IP for the interface. LAN = 192.168.1.1 and WORK = 192.168.2.1. LAN worked after this, WORK did not. So WORK I changed back to "This Firewall" and now it works again....

So, again, I started to think (yes I know, it will always create challenges...) what does the pre defined Networks stand for and represent? So a primer for the following would be awesome:

"This Firewall" - is what? 192.168.1.1?
"LAN net" - is anything active on LAN interface, and if it is DHCP active (as it is in my case) somewhere 192.168.1.10-100?
"LAN address" - is 192.168.1.1?
"Loopback net" - is 127.0.0.1? or?

chemlud · November 30, 2020, 10:54:35 AM

"This Firewall" is an Alias for ALL IPs of the OPNsense on all available interfaces.

"LAN address" correct, OPNsense IP for LAN net

Loopback = localhost (https://docs.opnsense.org/releases/18.7.html?highlight=loopback%20net)

lar.hed · November 30, 2020, 03:22:17 PM

Quote from: chemlud on November 30, 2020, 10:54:35 AM
"This Firewall" is an Alias for ALL IPs of the OPNsense on all available interfaces.

So just to be over specific here, "This Firewall" is, in my case, not only 192.168.1.1 (LAN) and 192.168.2.1 (WORK) but also my two WAN interfaces and the DHCP "generated" IP addresses? ???

chemlud · November 30, 2020, 03:32:48 PM

imho yes. You could have a combination of

ALLOW "LAN IP of your service machine" "LAN address" HTTPS
BLOCK * "This firewall" HTTPS

to allow only one machine (your service machine) to access the GUI of your OPNsense.

An old trick to access pfsense GUI was to enter the WAN IP on a LAN machine, but that should not work for OPNsense, as you can specify the listen interfaces for the GUI (as long as you have more than one interface, iirc).

lar.hed · November 30, 2020, 04:36:27 PM

Large Thanks!

Much better now. Still a lot to learn, as always, however this made it much easier!

Antaris · November 30, 2020, 06:09:22 PM

Your "LAN net" must be 192.168.1.0/24 actually...

lar.hed · November 30, 2020, 06:27:00 PM

Quote from: Antaris on November 30, 2020, 06:09:22 PM
Your "LAN net" must be 192.168.1.0/24 actually...

Yes, of course, .1 to .254. However my DHCP settings for LAN is .10 to .100 in range.

lar.hed · December 01, 2020, 09:51:27 AM

Okay, another question about "This Firewall" then. Learning curve I guess...

I run Multi-WAN, and for that I need a gateway group - nothing special about that. However the DNS rule on my WORK interface (192.168.2.1) needs a destination. If I enter "This Firewall" (as I wrote above) it works. If I enter 192.168.1.1 or 192.168.2.1 it does not work. Anyone who can explain why only "This Firewall" works as destination?

chemlud · December 01, 2020, 11:41:50 AM

Not without having a look at your set of rules.

Have you tried "WORK address"?

And if "LAN address" also works, your two networks are not well separated, I guess.

lar.hed · December 01, 2020, 03:13:52 PM

WORK address works - and for the record, currently in my test setup (which btw sits behind another firewall) LAN works also - but that happens to be because currently (give me 5 minutes) it is an allow all rule there. I'll get rid of it in a few moments...

Thanks chemlund!

lar.hed · December 02, 2020, 02:31:10 PM

A kind of new question: Is there anywhere in the OPNsense GUI that one can actually see all this Alias?

If not, could it nog be added somehow to Alias under FireWall?

mimugmail · December 02, 2020, 03:16:49 PM

via Console:

less /tmp/rules.debug

There you can see all firewall rules. Just add a rule like allow 1.2.3.4 to This Firewall, then go into rules.debug and grep for 1.2.3.4

lar.hed · December 02, 2020, 04:46:16 PM

Quote from: mimugmail on December 02, 2020, 03:16:49 PMless /tmp/rules.debug

Thanks!

(. And now I got direct scared - very pleased that this OPNsense is inside another firewall.... .)

mimugmail · December 02, 2020, 08:23:16 PM

It's up to the administrator to make it secure, if you dont set it to one IP alone it's your decision :)

What IP is "This Firewall" and so on - anyone care to expand on how this?

lar.hed

November 30, 2020, 08:13:42 AM Last Edit: November 30, 2020, 04:38:42 PM by lar.hed

chemlud

November 30, 2020, 10:54:35 AM #1 Last Edit: November 30, 2020, 10:56:40 AM by chemlud

lar.hed

November 30, 2020, 03:22:17 PM #2

chemlud

November 30, 2020, 03:32:48 PM #3

lar.hed

November 30, 2020, 04:36:27 PM #4

Antaris

November 30, 2020, 06:09:22 PM #5

lar.hed

November 30, 2020, 06:27:00 PM #6

lar.hed

December 01, 2020, 09:51:27 AM #7

chemlud

December 01, 2020, 11:41:50 AM #8

lar.hed

December 01, 2020, 03:13:52 PM #9

lar.hed

December 02, 2020, 02:31:10 PM #10

mimugmail

December 02, 2020, 03:16:49 PM #11

lar.hed

December 02, 2020, 04:46:16 PM #12

mimugmail

December 02, 2020, 08:23:16 PM #13