Firewall rules peer review

[mircolino]

I just recently switched to opnsense and so far I love it.
It's running in a Hyper-V VM with full SR-IOV enabled (Mellanox ConnectX-3 Pro) on all networks and the performance is impressive.

I just finished setting up the firewall rules. So far everything seems to be working as expected, but I just wanted to run it through the community to make sure I'm doing it right or maybe there's a better/safer/more optimized way.

The setup is fairly self-explanatory. We have 5 networks: WAN, LAN, DMZ, IOT and GUEST. The opnsense router (hostname edge) is acting as RA, DHCPv4, DNS and NTP server. We have a WEB server (hostname pub) on the DMZ network.

Requirements:

- all networks must be able to access the WEB server
- all internal networks must use the internal DNS server
- LAN can access anything
- DMZ, IOT and GUEST can only access the internet (besides the pub web server)

The following is the firewall configuration:

[Greelan]

Looks pretty neat to me. You’ve even given me a couple of ideas for some tidy-ups on my own config

[mircolino]

Thanks! 👍

[guest29153]

This looks good!
It also provides me some inspiration, just like Greelan.
One tip regarding Port Forwarding. You forward to “INTERNAL NET”, which resembles the whole INTERNAL subnet.
I think what you are after, is to redirect to the firewall even if a host in that segment has a different DNS server configured, right? In that case, you need to replace ‘INTERNAL net’ by INTERNAL address’.

The rules on DMZ, IOT and GUEST pointing to the interface address, are they intended to provide services like DNS and NTP, assuming you have configured servers as part of the DHCP configuration?

Enjoy your configuration on this nice piece of software

[mircolino]

Thank you for the tips! 👍

One tip regarding Port Forwarding. You forward to “INTERNAL NET”, which resembles the whole INTERNAL subnet.
I think what you are after, is to redirect to the firewall even if a host in that segment has a different DNS server configured, right? In that case, you need to replace ‘INTERNAL net’ by INTERNAL address’.

I'd eventually like internal clients to be able to use other internal DNS servers (besides the router itself). I just don't want them to use external ones.
Also, probably because it's a group and not a real network, "!INTERNAL address" is not an available choice when selecting the NAT destination. I guess I could use "!This Firewall" instead.

The rules on DMZ, IOT and GUEST pointing to the interface address, are they intended to provide services like DNS and NTP, assuming you have configured servers as part of the DHCP configuration?

Good point. Normally addresses on the same net don't need routing so I thought that just one rule with destination "!INTERNAL net" would limit DMZ, IOT and GUEST access only to their own net and to the internet. However, it turns out, this also kills access to their net gateway, so I had to specifically enable that. Same as above, I could use "This Firewall" instead of the interface address to make it clearer.

[Greelan]

I'd eventually like internal clients to be able to use other internal DNS servers (besides the router itself). I just don't want them to use external ones.

Bear in mind that you will need additional rules to accommodate other internal DNS servers. I have a setup like that, ie OPNsense does not provide DNS for my network, rather a separate host running Pi-hole/unbound does. But to get a setup like yours working, an exception would need to be added to allow Pi-hole/unbound to access external DNS servers.

Good point. Normally addresses on the same net don't need routing so I thought that just one rule with destination "!INTERNAL net" would limit DMZ, IOT and GUEST access only to their own net and to the internet. However, it turns out, this also kills access to their net gateway, so I had to specifically enable that. Same as above, I could use "This Firewall" instead of the interface address to make it clearer.

I encountered this behaviour too previously when creating similar rules. Initially I was confused like you. But after thinking about it, it makes sense. While layer 2 is used to reach the gateway on the same subnet, once the traffic arrives it is logical that it should be subject to the filter rules. Same as another computer on your LAN - while traffic from other LAN hosts won't be routed by OPNsense to get to the computer, once there it will be subject to the computer's firewall rules. So if there is not a specific rule allowing access to the gateway, the traffic will be dropped. OPNsense does create some automatic rules for DHCP and ICMP, but not for DNS or other services.

[mircolino]

Yep, after the initial perplexity, it totally makes sense now.
Thank you for validating my setup. Need to learn floating rules now and see if I can simplify the rules even further 🤔

[Greelan]

I don’t think floating rules will achieve much more than your current method of using a group. And what I really like about the group approach is that the corresponding “net” is defined, which avoids the need for separate aliases (which is what I previously did). It also means things are updated automatically if the group network ranges are changed.

[mircolino]

I don’t think floating rules will achieve much more than your current method of using a group.

You are right, not worth it.
I ended-up moving all individual net rules under the INTERNAL umbrella. They are evaluated first, and this also gives me a better control over the flow of execution.
I could have merged the three gateway access rules down to one using "This Firewall" as a destination but I don't want to give each net access to other nets gateway.