Firewal rules only apply to DHCP clients?

[beertooth]

Hi all..  I'm just getting my feet wet with OPNsense and more detailed network management for my home setup.  Ultimately looking for network separation for work, iot, etc etc.

I am running version 23.1 on a protectli box with 4 nics, and so far have WAN, LAN, OPT1 configured so that LAN is sort of a master subnet with access to everything and OPT1 is going to be where all my subnets live.  I'm using physical subnets for now so that I can build a better understanding before getting into 802.11Q configurations.

Yesterday I was having some problem getting internet on OPT1 even tho I set a firewall rule that allowed for any connections outside of the 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 networks.  DHCP was enabled for a slice of the subnet but I had a switch connected to OPT1 and then an WAP also connected to the switch with static IPs set outside of that range.

[OPT1] -> [SWITCH /static] -> [WAP /static]

With this setup i was able to verify with my iPhone that I got a DHCP reservation on the correct subnet, but no internet.  I enabled logging on the firewall rule created above but nothing showed up in the log, so nothing was matching my rule. 

I finally went back into both my switch and my wap to enable them as DHCP clients, and viola, firewall rules started taking effect and I was able to reach the internet. 

So, my main question is, is there some reason that the selection of [OPT1 Net] applies only to addresses handed out by DHCP?   

My other suspicion is that DNS is not working properly unless clients are auto-assigned everything by DHCP.  But here also I do not know the proper configuration.  It does appear that all my internet requests come through with DNS requests to the OPT1 gateway address, and thus are blocked by a floating 'block all' rule.  In this case do I simply add another rule to allow OPT1 clients access to the gateway for DNS requests or is there something fundamentally wrong with this?

Sorry this got to be a long post! 

[FLguy]

[OPT1] -> [SWITCH /static] -> [WAP /static]

With this setup i was able to verify with my iPhone that I got a DHCP reservation on the correct subnet, but no internet.  I enabled logging on the firewall rule created above but nothing showed up in the log, so nothing was matching my rule. 

I finally went back into both my switch and my wap to enable them as DHCP clients, and viola, firewall rules started taking effect and I was able to reach the internet. 

So, my main question is, is there some reason that the selection of [OPT1 Net] applies only to addresses handed out by DHCP?   

My other suspicion is that DNS is not working properly

Mr. tooth,

Without knowing what switch and AP you are using its hard to give a definitive answer.  But really there would be zero reasons why the internet would have started working on the iphone by just switching the switch/AP to DHCP.  Remember these IP's of those devices are only for accessing the management plane of both devices, and most often do not affect the data plane in moving traffic.  e.g. traffic between iPhone > FW > Internet.  This is not 100% the case these days, as lots of wireless APs due play a role in L3 traffic.  I'm not a fan of this.  I guess I'm just oldschool AP = Layer 2...  Another example, is you should be able to out remove the IPs on the switch and APs, if they still had their configurations, L2 should be working and the iPhone should be able to reach the internet.  As I too feel, as I was reading your post you are having DNS issues not a routing issue. 

The Odd thing to keep in mind is the rule hits after switching to DHCP.  :|  All three devices are using DHCP from OPNsense?  if that is the case, I'm i suggest the best of all worlds.  DHCP reservations, OPNsense calls this  DHCP Static Mappings.

Services > DHCPv4 > Leases

Click the + to the right of your switch/AP this will create a static mapping.  Just set the static map with the "static" (not really a static) IP address you wanted to set.  Optionally, you can change any other DHCP options, but I wouldn't.  Thats the best of both worlds, using DHCP but you assign the IPs you want those devices to have.    This is how I have everything at home.  Only end point devices have dynamic IPs, everything else like Switches, APs, Cameras, servers, etc get static maps. 

[beertooth]

As I too feel, as I was reading your post you are having DNS issues not a routing issue. 

yeah..  the more i'm watching things, this seems to be the problem.

I am using a Zyxel XGS1210-12 switch - and it is currently set to DHCP.  Even if I wanted to set the IP manually in the zyxel gui, there is no DNS field (you know, so i couldn't mess that up). 

Plugging in an extra PC to one of the switches other ports, with the PC set also to DHCP, the internet is still not working because this new pc is trying to ping the subnet gateway (at DNS port) for dns requests. 

This seems like OK behavior right?  I mean, something inside my settings is telling DHCP to serve the gateway address as DNS server.  But of course my firewall rules for this subnet are not applying since the subnet's gateway is indeed part of the internal network.

Is it OK (or normal) to need a firewall rule to allow dns requests through the gateway?  I haven't seen anything like this in the many guides I have read.  It seems logical but maybe there is something unsafe about it that I am not aware.

Thanks

[FLguy]

Plugging in an extra PC to one of the switches other ports, with the PC set also to DHCP, the internet is still not working because this new pc is trying to ping the subnet gateway (at DNS port) for dns requests.

So by default, OPNsense enables DHCP server for LAN-type interfaces, also by default the DNS server set by DHCP option will be the LAN interface's IP.  So yes, by default your FW, is also DHCP and DNS for that subnet.  If you start adding deny rules on that interface.  You must have permitting (OPNsense "pass") rules to pass some traffic.  Permitting DNS rule is a must!  As you can see, the "Automatically generated rules" at the top of the rules are to allow DHCP to function.  To protect yourself from yourself.  Also an anti-lockout rule to preventing yourself to block yourself from reaching the Firewalls GUI. 

I am translating this: "trying to ping the subnet gateway as DNS port".  As, you are seeing from the firewall, the PC attempting to use DNS.   Because "ping the gateway" has the actual meaning of sending ICMP packets from the PC to the Firewall. 

This seems like OK behavior right?  I mean, something inside my settings is telling DHCP to serve the gateway address as DNS server.  But of course my firewall rules... 

For sure, and is the default configuration out of the box.    Go to Services > DHCPv4 > [OPT1]  Click the "i" next to DNS servers it will read:
Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.
Meaning your DHCP option for DNS to your DHCP clients will be IP for OPT1.  On the PC run ipconfig /all (on windows, if your running Linux its not as easy but 500 ways to find it )  Some advice, there is nothing "of course" about making configuration changes.  If you add rules to the firewall and don't tell us what rules were added, it's hard to tell what is going on against the default behavior. 

But it's pretty clear now, haha, you're blocking DNS traffic, which makes you feel as if you have no internet access but the internet is accessible.  e.g. on the PC run ping 8.8.8.8, and you will get replies.  Now ping google.com ping stops and tells you can't translate the hostname, as DNS is being blocked.