Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rules - WAN address/ net
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Rules - WAN address/ net (Read 17049 times)
coalbl4ck
Newbie
Posts: 8
Karma: 0
Firewall Rules - WAN address/ net
«
on:
April 06, 2022, 11:33:03 pm »
Hi,
so basically by accident i stumbled upon this.
In my setup i have a router from the ISP and behind that is my OPNsense.
So, i was playing around with ICMP on my firewall (DNS resolution works) and i have two scenarios.
1. Destination = *
2. Destination = WAN net/ address
Now the second doesn't work (Blocked by
default deny
), so i was wondering if maybe my understanding of WAN net is wrong.
I thought of it as all IP addresses "behind" the WAN IP-Address (basically the Internet).
However, that doesn't seem the case?
I am completely lost and i think i just completely misunderstood something and really appreciate any help!
«
Last Edit: April 06, 2022, 11:42:50 pm by coalbl4ck
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: Firewall Rules - WAN address/ net
«
Reply #1 on:
April 07, 2022, 12:07:28 am »
WAN net is the adresses local to the WAN interface and not "the Internet". So if you get a single IP address via PPPoE then WAN net is that address. If you get a statically routed /29 for a business connection, then WAN net is that /29.
True for all interfaces. XY net = the directly connected network on interface XY.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
coalbl4ck
Newbie
Posts: 8
Karma: 0
Re: Firewall Rules - WAN address/ net
«
Reply #2 on:
April 07, 2022, 12:41:41 am »
Yeah, that's kind of what i thought also and clears things up. Thank you!
Also it leaves me with another question.
If i have multiple interfaces (e.g. WAN, LAN, DMZ) is it possible to restrict the DMZ so that it can only ping/ request data from WAN?
Logged
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Firewall Rules - WAN address/ net
«
Reply #3 on:
April 07, 2022, 10:32:51 am »
The accepted solution seems to be that WAN is everything that is not yours. Or possibly not RFC1918 addresses.
In IPv6 this gets more difficult.
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: Firewall Rules - WAN address/ net
«
Reply #4 on:
April 07, 2022, 10:41:58 am »
Unfortunately pf does not have an idea about source or destination interfaces. The rules work
on
an interface, either in or out, but "destined for the Internet interface" is simply not possible.
I have a similar situation with my multi-tenant hosting environment. While each customer should be able to reach the Internet outbound without restrictions, the servers should not be able to reach into other customers' networks.
Except
of course the services these other customers expose publicly, because public means public. That complicates matters a bit.
I think I'll investigate labelling packets leaving a customer's network and then checking those labels in outbound rules for all the customer interfaces.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
coalbl4ck
Newbie
Posts: 8
Karma: 0
Re: Firewall Rules - WAN address/ net
«
Reply #5 on:
April 07, 2022, 12:28:41 pm »
Okay i see.
I thought it would be a bigger deal, but having an "out" rule, works just as well.
Your problem sounds interesting.
The labeling can be done via tags in the firewall rules, right?
Haven't found a use-case yet, where i could make use of them unfortunately.
Logged
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Firewall Rules - WAN address/ net
«
Reply #6 on:
April 08, 2022, 09:25:21 am »
Out rules are a problem, since they have to match in addition to the in rules, and it makes the whole thing very complicated and hard to understand.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rules - WAN address/ net