configuration for stateful FW rules

Started by Onkel-tobi, June 14, 2023, 06:14:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 14, 2023, 06:14:15 AM Last Edit: June 16, 2023, 11:40:08 AM by Onkel-tobi
Hi all,

i am just wondering why i have to create rules for the way back.
I have 6 ports (1 wan, 5 different ports with 8 vlans in all) configured.
For each vlan a single gateway is configured (is that really neede, as it seems to make no difference?).

Then i have created default block rules for incoming traffic.
Now i want access an http site from vlan a to b and created a rule for that.
But in the log i can now see that in this example traffic is going to vlan b but then the it is blocked on the interface b on going out.

I thought by default the way opnsense is doing it would be stateful, so if client from vlan a is initiating the traffic i don't need to create rules for the way back?

Does anyone have a hint on that?

Thanks,
Tobi
June 14, 2023, 10:45:54 AM #1
stateful means: reply is allowed ootb. best guess without screenshots: rules on wrong interface and/or wrong direction (in/out)...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
June 16, 2023, 08:58:31 AM #2
Sorry i was only on mobile and away.
After further investiagation i found out the following:
If you see the attachment block you can see that the request is not coming from the client net as source but from the GW address of the "dreck" network.
I also added the rules for the clientVLAN which is the network of my client PC and trying to access an address (192.168.177.60) at the dreck VLAN.

regards,
Tobi
June 16, 2023, 09:06:47 AM #3
Last FW amd "HAnet" rule on Dreck are wrong, direction has to be "in", not "out"... Don't use "out" rules (unless you 100% know what you are doing...), in 99.99% of the use cases the wrong choice...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
June 16, 2023, 09:09:20 AM #4 Last Edit: June 16, 2023, 09:16:33 AM by Onkel-tobi
THanks for your answer.
I wanted to deny all trafic by default out of the dreck network.
So how should i do that best?
Or is it that this will be done by default deny?
June 16, 2023, 09:14:27 AM #5
Interface: dreck
Source: any
Destination: any
Direction: in
Action: deny

Or simply no rule on that interface at all because deny is the default.

In/out is to be read as seen by the firewall. A packet originating in the "dreck" network is coming in the "dreck" interface.

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 16, 2023, 09:18:24 AM #6
ah ok, that was overlapping. Yes great.
After i disabled that rule and checked the logs, i can confirm that this traffic from client to dreck device is working and default deny also works for everything else.
THanks for your support!
Print
Go Up Pages1
User actions