Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Problem with floating rule "let out anything from firewall host itself"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problem with floating rule "let out anything from firewall host itself" (Read 922 times)
kreilinger
Newbie
Posts: 6
Karma: 1
Problem with floating rule "let out anything from firewall host itself"
«
on:
March 10, 2023, 10:25:50 am »
Hi guys,
I am relatively new to OPNsense but have experience with Sophos and SonicWALL.
At the moment I have the following setup:
VDSL PPPoE with 1 static v4 Address and a static /60 v6 allocation
LAN: 10.10.10.0/24, :1::1/64 address from provider allocated /60
WAN: Static IPv4 /32, Static IPv6 :0::1/64 from provider allocated /60
VLAN10: :a::1/64 from provider allocated /60
In my VLAN10 Netzwork there is a single debian VM with static IP :a::2/64.
There are no custom floating rules other than the default ones.
There is only one custom rule on the LAN interface:
IP4+IP6 from * to !RFC1918 Networks allow
There is no rule on the VLAN10 interface
With this configuration in place, I expected that when I want to SSH from a LAN IPv6 client to the VLAN10 debian VM on it's IPv6 address, it would be blocked by default. But it is allowed.
Live log shows that it is allowed because of the auto-generated floating rule named "let out anything from the firewall itself".
Shouldn't the default in that case be that this traffic would be blocked? I would have expected that I need a rule on the LAN interface allowing TCP 22 to VLAN10 net or the specific IP
«
Last Edit: March 10, 2023, 10:38:21 am by kreilinger
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6797
Karma: 571
Re: Problem with floating rule "let out anything from firewall host itself"
«
Reply #1 on:
March 10, 2023, 11:44:22 am »
That custom rule covers that traffic. IPv6 in VLAN10 is not RFC1918 so it's permitted.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
kreilinger
Newbie
Posts: 6
Karma: 1
Re: Problem with floating rule "let out anything from firewall host itself"
«
Reply #2 on:
March 10, 2023, 12:27:25 pm »
Ah - i was confused because I had not turned on logging on the rule so I did not see it in live log.
Most firewalls I worked with have a kind of "Internet V4/V6" address object that automatically matches anything but the local networks.
I just stumbled upon another problem:
I have an additional Wireguard tunnel to Route48.org (IPv6 Tunnelbroker) which I used prior to getting native IPv6 WAN access.
So I still have another VLAN20 using a /64 range from the assigned /48.
I just realized that now that I have native v6 WAN connectivity, it seems that the firewall tries to send traffic out of the native WAN interface, instead through the tunnel interface.
The VLAN20 interface has the same single custom rule as the LAN interface stated above, but with the addition, that I set the gateway to the tunnel interface gateway.
When I try to ping google.com [2a00:1450:400d:802::200e], live log shows 2 entries for this destination:
IN VLAN20 matching my custom rule
OUT WAN let out anything from the firewall host itself
Whilst I would expect it to use the tunnel gateway and therefore the tunnel interface for outbound
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Problem with floating rule "let out anything from firewall host itself"
