Firewal Rules dont work

[deathnote]

Hi all.

Why Rulse dont work ?

https://prnt.sc/KMq6yCJQazzv

I need creat this rulse.

Vlan 231 can ping self. but cant ping Vlan 232.

Vlan 232 can ping self and Vlan 233.
Vlan 233 can ping self and Vlan 232.

Vlan 233 cant ping Vlan 231.

Now i try to creat ping Self Vlan 232. but rulse dont work.

Thnks for help

[jp0469]

Going to need more details to help out with this but just a couple of comments so far. Your specific rules will be easier to manage if you create them for each interface rather than as floating rules. Also, there is no need to mention "ping self" because traffic that stays on the same subnet will always be allowed because it doesn't even pass through the firewall for evaluation.

Here are my general suggestions:

I see that you have an alias for RFC1918 ranges. On each VLAN that needs internet access, create a rule that allows all access the the inverse (NOT) RFC1918. That will provide internet (WAN) access but no inter-VLAN communication. Next, on any VLAN that needs to access another VLAN, create specific allow rules that go before the internet rule.

That should pretty much get you started. Remember, any traffic not explicitly allowed will be blocked by default. Therefore, try to think in terms of creating allow rules that are only as permissive as necessary rather than trying to put block rules everywhere. Hope that helps.

[deathnote]

Going to need more details to help out with this but just a couple of comments so far. Your specific rules will be easier to manage if you create them for each interface rather than as floating rules. Also, there is no need to mention "ping self" because traffic that stays on the same subnet will always be allowed because it doesn't even pass through the firewall for evaluation.

Here are my general suggestions:

I see that you have an alias for RFC1918 ranges. On each VLAN that needs internet access, create a rule that allows all access the the inverse (NOT) RFC1918. That will provide internet (WAN) access but no inter-VLAN communication. Next, on any VLAN that needs to access another VLAN, create specific allow rules that go before the internet rule.

That should pretty much get you started. Remember, any traffic not explicitly allowed will be blocked by default. Therefore, try to think in terms of creating allow rules that are only as permissive as necessary rather than trying to put block rules everywhere. Hope that helps.

I allrady creat it, in screenshot first post. and thid rulse dont work.

[Patrick M. Hausen]

Rules are evaluated in order, so the RFC1918 block matches first.

[deathnote]

thnks

do this

https://prnt.sc/T2cP5WcnPMPC

ping  i have Vlan 231 self.

but if i disabled rulse, ping alsou have from Vlan 231 to Vlan 231 why ?

rules unfotiontly work incorrect.

P.S. in dfl 870 i dont have this problem ...

[jp0469]

I allrady creat it, in screenshot first post. and thid rulse dont work.

I saw your screenshot but my comment still stands. Do away with the floating rules and create rules on each interface for your VLANs as I suggested and you'll have better success in managing your traffic.

[deathnote]

I allrady creat it, in screenshot first post. and thid rulse dont work.

I saw your screenshot but my comment still stands. Do away with the floating rules and create rules on each interface for your VLANs as I suggested and you'll have better success in managing your traffic.

I dont need creat rules on each interface, cuz its work incorrect !!!

A very strange thing is happening.

When you turn off the rules, then there is a ping, but when you turn off the interface, wait 5 seconds and then turn it back on, then the ping is passed according to the rules.

[jp0469]

Not sure I understand why you are "turning off the interface" or what that even means. Also, if you are enabling and disabling rules, are you clearing the firewall states between testing? It's still not very clear what you are trying to achieve for each of your VLANs. If you create a list of your VLANs and guidelines for each, we can easily come up with working rules for each interface. For example, something like:

VLAN1: Internet access but no access to other VLANs
VLAN2: Internet access and access to VLAN1 but not VLAN2
VLAN3: No internet access, access to server on VLAN1 only

[deathnote]

Not sure I understand why you are "turning off the interface" or what that even means. Also, if you are enabling and disabling rules, are you clearing the firewall states between testing? It's still not very clear what you are trying to achieve for each of your VLANs. If you create a list of your VLANs and guidelines for each, we can easily come up with working rules for each interface. For example, something like:

VLAN1: Internet access but no access to other VLANs
VLAN2: Internet access and access to VLAN1 but not VLAN2
VLAN3: No internet access, access to server on VLAN1 only

"turning off the interface" - in computer !

[deathnote]

Can someone explain to me why the rules do not work in real time when you turn them off?

This was verified as follows.

You turn off the ping rule, and we look at the ping on the machines and see that the ping will continue, but in the firewall the rule for allowing ping is disabled. On this machine, turn off the network interface, turn it back on, pings are gone. Turn on the rule pings appear.

This only happens when you disable or remove the rules, for some reason they do not work in real time.

[Patrick M. Hausen]

OPNsense is a stateful firewall. A TCP connection but also a continuous stream of UDP or ICMP packets establish a flow. If the initiation of the flow is permitted, the flow continues to be permitted. For UDP and ICMP this is implemented via timeouts, since there is no proper tear down of the connection or other means (SYN cookie, sequence number) to properly identify a connection.

[deathnote]

OPNsense is a stateful firewall. A TCP connection but also a continuous stream of UDP or ICMP packets establish a flow. If the initiation of the flow is permitted, the flow continues to be permitted. For UDP and ICMP this is implemented via timeouts, since there is no proper tear down of the connection or other means (SYN cookie, sequence number) to properly identify a connection.

thnk.

How fix this ? i mean  how config opnsens work realtime ?

I mean if i disabled rules, imidetly block ani ping and traffic ?

Thnks

[Patrick M. Hausen]

In the UI navigate to Firewall > States > Actions and click on "Reset state table".

Caveat: in a live production environment this will kill all active connections, e.g. long running downloads.

[deathnote]

In the UI navigate to Firewall > States > Actions and click on "Reset state table".

Caveat: in a live production environment this will kill all active connections, e.g. long running downloads.

i have to do this every time i disable some rules ?

[Patrick M. Hausen]

If you want the new ruleset to be effective for established connections - yes.

And again: this will kill all TCP connectiions currently passing through the firewall and they will not be re-established automatically. This firewall product is not a simple static packet filter. Although you can turn it into one if you insist. You can disable all state tracking.

But in that case you need firewall rules for both directions of a flow, adjust port numbers (> 1024) and flags (ACK) accordingly and get an overall less secure setup.