[SOLVED] Firewall rules: allow traffic to single host

[francesco76]

Hello,

I use opnsense as router in my home. I started using it as basic router, and slowly I'm using more and more advanced features. Now I'm playing with firewall rules, but... something goes wrong.

We can suppose I have two network (actually not true but is an example), for simplicity we can call them LAN and EV1. The first, LAN, is my main LAN in opnsense (192.168.1.0/24), and EV1 is another network (192.168.3.0/24).

The two network are allowed to go on internet, but have to be isolated, with a single exception: any computer on EV1 can reach a single server on LAN (again, is an example, I only want to experiment and learn)

In the attachment there is a screenshot of rules on EV1 interface.

If we ignore the second rule, everything works ok, LAN reach internet, EV1 reach internet, and are isolated. But when I add/enable the second rule, the two network are no longer isolated, from EV1 i can ping every host on LAN, not only 192.168.1.14. Why? Where am I doing wrong?

Very thanks in advance!


ps: yes i know that "any", talking about firewall, is not a friendly word: to reach the server on 192.168.1.14 I could specify the exact protocol and correct ports, for now I'm just playing and learning. I just want to understand why that rule doesn't work as expected

pps: Sorry for my language!

[zan]

Looks like you use a wrong netmask.
Destination 192.168.1.14/24 means the whole 192.168.1.0 subnet
To specify a single host we use netmask 32 in IPv4, 128 in IPv6.
Change it to 192.168.1.14/32.

[francesco76]

oh, thank you very much! I was convinced that I should specify that the address was part of /24 subnet! what an idiot I am, thank you very much! Thank also for IPv6 netmask!