Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Firewall Rule Issues - Seemingly not working
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: Firewall Rule Issues - Seemingly not working (Read 9317 times)
Smack2k
Newbie
Posts: 26
Karma: 0
Re: Firewall Rule Issues - Seemingly not working
«
Reply #15 on:
May 17, 2021, 12:38:00 pm »
TLDR - Are you saying I need to put a block rule on the parent LAN interface and then individual allow rules for each VLAN on the parent interface? Then I can use the individual VLAN rules from there?
I'm not sure what I am missing here, but what you are saying needs done is what I have done.
For one of my VLANs (the one I have used in my previous posts), I have removed the allow all IN and allow all OUT rules (see attached). I havent touched the LAN interface rules and havent in past. All of my VLANs are created off of that parent LAN interface. I had these rules setup for a while and at no point did I ever have anything in my VLAN rules blocking the LAN interface itself. I had rules to only allow certain other IP addresses to access machines in my VLAN. But now, as you can see in the attachment, there are NO rules for that VLAN and it states all incoming connections on this interface will be blocked. Yet I can still access machines on that VLAN from machines on another VLAN....
Also, if I wanted to block all other VLAN traffic from accessing this VLAN, but I still wanted to allow this VLAN to get out to the internet, blocking the LAN interface would prevent that.
I think where my confusion comes in is that for about 20 months I had these rules setup ONLY in the individual VLANs and nothing on the parent LAN interface itself and things were working fine. Then it just stopped. If I am allowing all traffic into the LAN interface, wouldnt the individual VLAN rules then decide if that traffic can access those interfaces?
You mentioned creating an IN rule on the interfaces I want to block traffic from. I disabled the IN and OUT rules for this one VLAN. Since OpnSense says traffic is blocked unless specified, shouldnt that block anything getting in or out of that VLAN? Yes, the allow all rule is still on the LAN interface itself, but the rules are applied to the VLAN (which again is one of several VLANs created off that same LAN interface)
Reading the documentation again, but I just dont understand why what I had setup and working no longer does!!
Thanks for being patient and responding with informaiton, I do appreciate it.
«
Last Edit: May 17, 2021, 01:53:37 pm by Smack2k
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Firewall Rule Issues - Seemingly not working
«
Reply #16 on:
May 17, 2021, 02:07:00 pm »
I have tried to explain the theory behind the fw rules as clearly as possible, but obviously I have not succeeded.
So simply do this. On an interface that you want to block traffic from (eg you want to block traffic from VLAN2 hosts to VLAN3 hosts), create a rule like the following, and place it above any "allow any" rules on that interface:
Action: Block
Quick: Checked
Interface: VLAN2 (for example)
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source / Invert: Unchecked
Source: VLAN2 net (for example)
Destination / Invert: Unchecked
Destination: VLAN3 net
Destination port range: any
Description: Add one if you wish to
This is all I have for you. Good luck.
Logged
Smack2k
Newbie
Posts: 26
Karma: 0
Re: Firewall Rule Issues - Seemingly not working
«
Reply #17 on:
May 17, 2021, 03:17:33 pm »
Sometimes I need beat over the head before something sinks in....lol
I got it now.....its doing what it should as well.
Thanks again very much for the assistance.....and repeating yourself to help beat it into me!!
Logged
somebod3983
Newbie
Posts: 5
Karma: 0
Re: Firewall Rule Issues - Seemingly not working
«
Reply #18 on:
May 19, 2021, 10:10:22 am »
Well I did wonder about the directions of traffic and whether it was counter to logic. So with the best will in the world this needs a much more detailed explanation in the documentation judging by how many times this is misunderstood just going by the number of posts in forums on this very matter, with perhaps a little explanation that the way firewalls work is counter to logic so you explain it from how a normie would approach it vs how someone whose in know would expect.
It also makes me wonder if based on the fact this seems opposite to what someone expects perhaps the UI is wrong? From a not configuring this wrongly and scaling point of view it would make more sense to have the block rule on VLAN3 (using your example) to prevent anything coming in from VLAN2 or later on VLAN4 until you expressly allow it. But if I set a rule on say VLAN2 with "out" using the inverse logic should then do exactly that?
My other point was aren't VLAN's supposed to be separated from each other by default?
«
Last Edit: May 19, 2021, 11:18:41 am by somebod3983
»
Logged
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Firewall Rule Issues - Seemingly not working