IPSec site-to-site VPN - Firewall Rules

[fgratx]

Hey guys,

First post on here so I'll start by thanking the community for the great work putting OPNSense together!
Also, I'm a newbie on OPNSense fw but been in the IT industry for 25y+, so please bare with me if I don't get all the OPNSense specifics yet.

So far, I built the following basic setup.

Site A: OPNsense 20.7.5-amd64 freshly installed/updated.

• Only 2 interfaces for LAN and WAN.
• LAN network is a basic class C private network.
• No double NAT, WAN has public address delivered by the ISP.
• A simple IPSec site-to-site tunnel to another location with specific advanced parameters like "Install policy" all let by default.

Site B: Cisco RV340 with the same type of local setup, a LAN and a WAN leg.

Configuration of the tunnel was pretty straight forward.
It is well established and the two LAN are able to communicate both ways just fine.
But now, I would like to filter traffic in/out between the two LANs from the OPNSense firewall.
Basically I'd like to deny all, then open only using rules according to my needs.

I noticed an automatically generated rule was added in Firewall>Rules>IPSec allowing everything both ways.
IPv4+6 *   *   *   *   *   *   *   IPsec internal host to host

I've tried to add a simple rule here to block all traffic (* on protocol, etc) between 2 IP addresses, each being on the two LANs on each side doesn't seems to work as ping/ssh/etc.. still goes through just fine without any limitation.

I used the firewall logs and filters to check and the auto generated rule is kicking in to allow it. See below log for an SSH connection from Site A LAN to Site B LAN:
Interface  Time             Source              Destination      Proto  Label
IPsec      Nov 30 21:12:27  192.168.1.10:38236  192.168.2.23:22  tcp    IPsec internal host to host

Any rule I try for blocking communication still let it pass. Of course, I diligently make sure to save and apply during my tests.
Does anyone has any idea on what I'm missing?

Thanks a lot.

Florian

[Gauss23]

Basically OPNsense blocks all traffic which is not allowed. So you usually don't need any block rules.

This IPsec host to host rule is for traffic leaving your OPNsense. Notice the outgoing arrow at the left side.

You need to set the rules on the interface where it first hits the OPNsense. So if you want to allow traffic from LAN to a specific IP range in an IPsec tunnel, you allow that traffic on the LAN interface (source LAN, destination IPsec network). If your rules on the LAN interface are too wide or any/any, all traffic from LAN will be allowed. So you need to be more strict there.

The IPsec firewall rule table is for incoming traffic from the remote site. So if don't add any rules there, the remote site is not able to establish new connections. Return traffic is always allowed (stateful firewall).
So if you want the remote site to be able to ping a host in the local LAN you create a rule on the IPsec tab with source IPsec network and destination the local host in your local LAN.

[Ricardo]

bookmarked

[chemlud]

Basically OPNsense blocks all traffic which is not allowed.

In principle: Yes. But then there are these rules with the infamous * And then you might need BLOCK rules to be more specific. Or if you want to log specific BLOCK traffic.

[Gauss23]

Basically OPNsense blocks all traffic which is not allowed.

In principle: Yes. But then there are these rules with the infamous * And then you might need BLOCK rules to be more specific. Or if you want to log specific BLOCK traffic.

What rules with "infamous *"?
Blocking is i.e. needed if you want to get rid of bulk traffic like "block all IPv6" as a floating rule. And maybe an outgoing rule on the WAN to block private destinations leaving the OPNsense.

I have a lot of boxes in production and I have only a few block rules installed. If you work with source invert and destination invert you can usually allow the needed connections on point without a blocking rule.

And for logging: all blocked traffic is logged anyway.

[chemlud]

Maybe you allow your clients on LAN http / https to ANY. That does included even to your local DMZ, GUEST, IOTLAN, PRIVATLAN or whatever. Same for samba, ssh or whatever.

[Gauss23]

Maybe you allow your clients on LAN http / https to ANY. That does included even to your local DMZ, GUEST, IOTLAN, PRIVATLAN or whatever. Same for samba, ssh or whatever.

In that case I create an Alias with all my local networks in it. Then your rule wouldn't have ANY as destination. It would have the Alias as destination with destination invert. Problem solved without the need of a block rule.

[fgratx]

Thanks Gauss23 and chemlud for all the great advise and details. It'd put me in the right track, helped me understand better and guided me into reading some more useful documentation. Cheers guys!