Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
New user firewall help
« previous
next »
Print
Pages: [
1
]
Author
Topic: New user firewall help (Read 1168 times)
ilium007
Newbie
Posts: 7
Karma: 0
New user firewall help
«
on:
July 14, 2022, 04:44:42 am »
I have a new OPNsense installation with a few VLAN's being given to wireless clients by a Unifi AP.
I am running Unbound DNS on OPNSense that uses DNS over TLS and DHCP gives clients the piHole server for DNS. piHole forwards queries to Unbound DNS on OPNSense to make use of DNS over TLS.
I would like to have clients on the VLAN's use the 192.168.10.4 DNS server but nothing else. The LAN interface have the default firewall rule to accept all from 'LAN net' and the KIDS interface has default rule to accept all from 'KIDS net'.
I cannot work out why DNS requests from the KIDS network (192.168.13.0/24) is being allowed to LAN net (192.168.10.0/24).
Why is the 'Source' 'LAN net' allowing traffic from 192.168.13.0/24?
«
Last Edit: July 14, 2022, 04:51:56 am by ilium007
»
Logged
ilium007
Newbie
Posts: 7
Karma: 0
Re: New user firewall help
«
Reply #1 on:
July 14, 2022, 04:55:18 am »
Default firewall rules. Enabling / disabling the LAN net DNS rule in screenshot has no effect. KIDS net clients can access any 192.168.10.0/24 subnet address. I know I am misunderstanding some concept here, I just can't work out what. From reading the OPNsense docs the firewall rules apply to ingress traffic to an interface so LAN rules apply from traffic coming into the LAN interface from other interfaces / subnets.
It is as if 192.168.13.0/24 addresses (KIDS) are somehow part of the 'LAN net' definition.
«
Last Edit: July 14, 2022, 04:58:50 am by ilium007
»
Logged
ilium007
Newbie
Posts: 7
Karma: 0
Re: New user firewall help
«
Reply #2 on:
July 14, 2022, 05:19:00 am »
'LAN' interface is 192.168.10.1/24
'KIDS' interface IP is 192.168.13.1/24
If the default KIDS firewall rule lets all traffic from 192.168.13.0/24 to the KIDS interface 192.168.13.1/24 how are clients on KIDS network able to access any 192.168.10.0/24 resource? I have now confirmed KIDS client can hit a webserver onm 192.168.10.4/24 and ping that host as well.
Logged
ilium007
Newbie
Posts: 7
Karma: 0
Re: New user firewall help
«
Reply #3 on:
July 14, 2022, 05:41:11 am »
I looked at the live query and noticed that DNS traffic is allowed from 192.168.13.51 to 192.168.10.4. The live query lable says "let out anything from firewall host itself". I don't get this. How is it considered "firewall host itself" when the source IP is 192.168.13.51?
Logged
Patrick M. Hausen
Hero Member
Posts: 6747
Karma: 568
Re: New user firewall help
«
Reply #4 on:
July 14, 2022, 07:54:24 am »
If you allow from kids net to anything, computers on the kids net can reach anything exactly as you specified. Any means literally any - every other connected interface, network, Internet ...
You need to put a deny from kids net to lan net rule above that if they should only reach the Internet and not the other network.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
ilium007
Newbie
Posts: 7
Karma: 0
Re: New user firewall help
«
Reply #5 on:
July 14, 2022, 07:55:42 am »
Ok thanks.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
New user firewall help
