Newby: Mys(t)ery Failure of Rule

Started by balin, December 27, 2021, 02:35:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 27, 2021, 02:35:43 PM
I started playing with a shiny new Opnsense box ... and immediately ran into trouble.

(Among other things) I have

As a result, the rules table for the Periphery interface looks like this:
Code Select

Protocol Source Port Destination Port Gateway Schedule Description
Automatically generated rules
IPv4 UDP * 68 255.255.255.255 67 * * allow access to DHCP server
IPv4+6 UDP * 68 (self) 67 * * allow access to DHCP server
IPv4+6 UDP (self) 67 * 68 * * allow access to DHCP server

IPv4 TCP/UDP * * 127.0.0.1 53 (DNS)* * Reroute all DNS Queries through the Firewall
IPv4+6 * * * This Firewall * * * Allow traffick to the firewall
IPv4+6 * * * ExternalInternetWAN net * * * Allow traffick into the external network


I expect this to provide web access to the devices in the network served by the Periphery interface.

The logs, however, show such traffic being denied by the Default deny rule from the floating set, implying that the last rule above fails.

What am I doing wrong? Thanks for any pointers.
December 28, 2021, 03:04:12 AM #1
I'm assuming that ExternalInternetWAN is the interface that obtains your public IP from the ISP. If so ExternalInternetWAN net does not represent the entire internet. It only represents the subnet that your public IP is on. Instead, create an alias that consists of all private (RFC1918) addresses. They are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Next, change your last rule to allow traffic the the inverse (Destination/Invert checkbox) of that alias.
December 28, 2021, 09:58:51 AM #2
Many thanks for your explanation and solution - that makes it work the way I intended it.
Print
Go Up Pages1
User actions