Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Unable to block traffic from DMZ to LAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unable to block traffic from DMZ to LAN (Read 3082 times)
bitTwiddler
Newbie
Posts: 28
Karma: 0
Unable to block traffic from DMZ to LAN
«
on:
June 03, 2021, 02:13:30 am »
I have rules on my DMZ interface as well as my LAN interface blocking traffic from DMZ to LAN but I can still browse to web resources on the LAN network from a web browser on a workstation in the DMZ. I know I am missing the obvious but I am not currently seeing it.
Attached are my DMZ and LAN rules.
The message in the Live Log for the DMZ -> LAN traffic is: let out anything from firewall host itself - which is tied to an autogenerated floating rule which I cannot disable.
«
Last Edit: June 03, 2021, 04:19:29 am by bitTwiddler
»
Logged
thogru
Full Member
Posts: 130
Karma: 4
Re: Unable to block traffic from DMZ to LAN
«
Reply #1 on:
June 03, 2021, 08:50:10 am »
Hi bitTwiddler,
Do I do not see any mistake in your rules.
When installing my OPNsense I did the following steps:
run installation of the image via the serial console
Assign the interface in the console: LAN and WAN
run the wizard of the WebUI
add the interface for DMZ
After that devices in the DMZ are not allowed to anything: DNS, internet access, access the LAN. I have to define rules where I allowed the devices in my DMZ what I want. Block by default.
So why did you change this general behavior of your setup?
Kind Regards
Thomas
Logged
Don't forget to [applaud] those offering time and brainpower to help you!
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Unable to block traffic from DMZ to LAN
«
Reply #2 on:
June 03, 2021, 12:21:28 pm »
The third rule on the DMZ interface is an odd one - I’d delete that. And the first rule on the LAN interface won’t do anything, so can be deleted too.
Logged
bitTwiddler
Newbie
Posts: 28
Karma: 0
Re: Unable to block traffic from DMZ to LAN
«
Reply #3 on:
June 03, 2021, 06:17:17 pm »
Thank you for the great feedback! Much appreciated.
Greenlan, that rule was not in my original ruleset but more of a hail mary pass to try to contain DNZ - which didn't work. I will remove that rule. I also removed the 1st LAN rule. Good catch!
Thogru, I pretty much followed the same path you outline with a few exceptions. I followed your steps 1-3 as part of moving off Smallwall to OPNsense last year. That worked very well. I just moved DMZ over from Smallwall and brought over the three simple rules. The only difference was that I set up a NAT port-forward for PiHole DNS. So, I didn't change any of the default behavior. If you are aware of why the floating rule " let out anything from firewall host itself" is firing I'd give my right arm to know.
FYI - I am running OPNsense v21.1.4-amd64
«
Last Edit: June 03, 2021, 08:39:57 pm by bitTwiddler
»
Logged
bitTwiddler
Newbie
Posts: 28
Karma: 0
Re: Unable to block traffic from DMZ to LAN
«
Reply #4 on:
June 03, 2021, 09:21:22 pm »
I found one typo - a CIDR block suffix of /1 rather than /32 which was allowing everything on LAN.
I am doing regression testing now.
Logged
bitTwiddler
Newbie
Posts: 28
Karma: 0
Re: Unable to block traffic from DMZ to LAN
«
Reply #5 on:
June 03, 2021, 11:05:27 pm »
After cleaning up the typo my DMZ rules look like this. Since everything not explicitly passed should be blocked, I should be able to replace the last three rules with "allow to WAN". However, that does not work for me for some reason.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Unable to block traffic from DMZ to LAN
«
Reply #6 on:
June 03, 2021, 11:27:57 pm »
“WAN net” doesn’t mean “everything on the internet”. It just means the network configured on the WAN interface
Logged
bitTwiddler
Newbie
Posts: 28
Karma: 0
Re: Unable to block traffic from DMZ to LAN
«
Reply #7 on:
June 04, 2021, 12:12:57 am »
Understood. I guess I was thinking that OPNsense knew WAN is the outbound interface to the Internet based upon the fact that it has the default gateway.
I am not a big fan of default allow rules but I don't see a workaround in this case.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Unable to block traffic from DMZ to LAN