All my rules show let out anything from firewall host itself

[idscomm]

Hello Community,

I am new to Opnsense, coming from Check Point, Untangle, pfSense ... and I am trying to understand what is happening with the Rules.

I have several Networks (and VLANS). Basic example:

Ad-Guard DNS Server on LAN available for ALL Networks

I created a rule under each Network allowing IN -> to the Ad-Guard Server. Everything works fine but the Log shows let out anything from firewall host itself instead.

Question is, since I am not logging this rule, is it normal to see this entry in the log?

[chemlud]

Please show "the Log"... ;-)

[Seimus]

Hello Community,

I am new to Opnsense, coming from Check Point, Untangle, pfSense ... and I am trying to understand what is happening with the Rules.

I have several Networks (and VLANS). Basic example:

Ad-Guard DNS Server on LAN available for ALL Networks

I created a rule under each Network allowing IN -> to the Ad-Guard Server. Everything works fine but the Log shows let out anything from firewall host itself instead.

Question is, since I am not logging this rule, is it normal to see this entry in the log?

As you can see in the picture, you have 4 rules. But you are logging only one of them represented by the colored "i" Icon. The Greyed "i" shows that logging for the rest of the rules is disabled.

System rules, aka default deny/permit are controlled by the system in "System: Settings: Logging" (System -> Settings -> Logging -> Enable logging for "default deny")

Regards,
S.

[idscomm]

Please show "the Log"... ;-)

Thank you for your answer. This is part of my log showing a rule I created to allow Guests VLAN to reach the LAN Ad-Guard DNS Server (I am not logging this rule) ... Is it why I see the "let out anything from firewall host itself".

If I deactivate the "Log packets matched from the default pass rules put in the ruleset", I do not see all these logs.

I am just trying to see if I misconfigured my firewall or if this is normal behaviour.

Thanks!

[chemlud]

You allow access to this AdGuard, but are your clients actually using it? Or your opnsense (unbound? via DHCP)?

As your last rule allows ANYTHING in theory any GUEST client could use whichever DNS (port 53, 853 or HTTPS) it wants.

[Seimus]

It most probably as well will depending the device on the LAN,

Reason is some devices (mostly IoT and even TVs) have preconfigured primary DNS servers 8.8.8.8 & 8.8.4.4, by having any to any rule towards non Private subnets. Such devices will always try to reach those Destinations before using your own or dedicated DNS server.

I did solve this by extremely restrict internet access to only HTTPs. And allow DNS only for my Pihole. from what I can see such hardcoded devices first try their hard coded DNS server, once their can not reach it they use the fallback DNS provided by DHCP.

Also Such devices tent to as well ping using ICMP those hardcoded DNS servers. I have specific rules that block any communication for Google DNS servers to force them use my selfhosted DNS on Pihole.

Regards,
S.

[idscomm]

You allow access to this AdGuard, but are your clients actually using it? Or your opnsense (unbound? via DHCP)?

As your last rule allows ANYTHING in theory any GUEST client could use whichever DNS (port 53, 853 or HTTPS) it wants.

Yes, I can see my client using it as I disabled the option to override the DHCP options.

[idscomm]

It most probably as well will depending the device on the LAN,

Reason is some devices (mostly IoT and even TVs) have preconfigured primary DNS servers 8.8.8.8 & 8.8.4.4, by having any to any rule towards non Private subnets. Such devices will always try to reach those Destinations before using your own or dedicated DNS server.

I did solve this by extremely restrict internet access to only HTTPs. And allow DNS only for my Pihole. from what I can see such hardcoded devices first try their hard coded DNS server, once their can not reach it they use the fallback DNS provided by DHCP.

Also Such devices tent to as well ping using ICMP those hardcoded DNS servers. I have specific rules that block any communication for Google DNS servers to force them use my selfhosted DNS on Pihole.

Regards,
S.

I have those device, I agree with you that some are hardcoded as I can see Google DNS requests from my internal network which I do not use. I pass the Ad-Guards servers as DNS to all my clients, then Ad-Guard queries are encrypted to the Internet.

I think that if I do not log the rule I created, then it shows let out anything from firewall host itself ... everything is working as intended, if I deactivate the rule as a test, Internet stop working since DNS are unavailable... I thing it's just the way Opnsense logs the queries. I deactivated the log allow rules and I don't see those now anymore. I could do another test and logs all my rules to see if that's what the log shows actually....

[Seimus]

So as you mentioned if you see some queries sent to different public DNS servers such as Google etc. you definitly have there some devices that abuse the any/any rule.

I am using a lot of VLANs, with FW Groups. So for me to do micro-segmentation on FW is very easy.

If you have only one VLAN or no VLAN at all (meaning one subnet for everything) and want still your TCP/UDP any/any I can give you a tip.

Create a specific rule that will prevent any communication to any DNS server that is not your AdGuard DNS server >

Code Select Expand


Action: BLOCK
Protocol: UDP
Source: !YourDNSserver (do an inverse here as shown by the !)
S.Port: ANY
Destination: !RFC_1918 (do an inverse here as shown by the !)
D.Port: DNS_Ports (Alias)

DNS_Ports should include 53 & 853 (DNS + DoT)
Put the Rule on top of the list
Apply the rule on a specific interface, group or on all


What this will effectively do it will block any attend to reach any external DNS that is not your own DNS server for DNS default 53 port as well DoT 853. This will however not block any attends for DoH.

For blocking DoH you would have to use D.Port 443, but mind here that by blocking UDP 443 you will block as well QUIC. Personally I have restricted QUIC so I have the block rule for UDP 443 as well. Or Rather say I dont allow UDP at all using any/any. UDP is for me controlled based per port & External Destination, this may come a bit annoying specifically for Steam and Games, but its not so hard to figure what Destination needs to be permitted into the UDP gaming rule or VOIP for WA/Messenger.

https://www.cloudflare.com/learning/dns/dns-over-tls/

Personally I am still logging all my rules except dNAT (but the FW rule is logged). This is a historical remain of cracking down on anything I deemed to be IoT or suspicious (SmartLights, TVs etc. everything that has not fully configurable OS). I did it as a part of migration and micro-segmentation when I was doing VLANs as such devices are spammers, flooders and scanners, for me it just was not enough to have them in separate VLAN so I cracked them down and allowed only what is the minimum needed to have them working.

Regards,
S.

[idscomm]

Thanks for the tip and the write up. I do have quite a few VLAN: LAN and Surveillance cameras are on physical interface as well as my DMZ then IOT, Guests, Kids, VoIP are VLANS. I find it easier to manage when it's segmented like that. I will add you rule and redirect those dns queries to my Ad-Guard. I used it to filter so ads and apps especially for the kids VLAN. So far it's working great. My IoT VLAN does a lot of pings too, the gateway and to my DNS servers etc which I blocked ...

The big part of My install is almost done now. Got my voip working last night which is a plus! Just need some fine tuning now and check the logs for anomalies. I'll have to setup my vpn as well within the next few days.

So far opnsense seems to be a decent firewall, I like the simplicity of some of the options like the GeoIP which I use combined with blocking ET using IP list...

[Seimus]

Looks like you have a nice design there at least from the point of segmentation.

You may not need a redirect rule for the DNS, give it a try with blocking the External DNS first to see if they will fail-over to your DHCP provided one. For me this so far worked even stupid Google Assistant (which is already long gone). These were the biggest A****. Constantly reaching and trying to go around what DHCP is set. But once they could not ping nor queries External DNS server they did obey and used my Pihole ;)

Also if you want to do a crack down, tho possibilities here for better inspecting.
1. Live view + General view directly in OPNsense
2. ZenArmor (but its on you if you want to use this)

This way you will get a good view who is talking to what. And really mostly IoT based devices spam like hell, you should see them right away in live view logs if you will log the rules.

Regards,
S.

[idscomm]

Thanks for the good advice, greatly appreciated. I know for a fact that IoT devices are a bit tricky ion the way where some if not most are hardcoded .... I will keep an eye on my logs like you said. I was also doing some reading on Zenarmor as some of its features could be useful as I read...

[guest42235]

Just perusing the forum and, forgive me if I missed this in the replies as just skimmed through them to check. But I think the issue with the rule you're expecting to see in the logs is that the "direction" you chose is "IN" when I'm pretty sure I'd put it as "OUT" since I'm allowing traffic on the VLAN or LAN side, out from the firewall .

Disclaimer: I'm pretty green with Firewall rules, but I watched a video that helped me to visualize what the options were doing https://youtu.be/dLUffHxnsIQ?si=asoWLgZPkno9V6Kc

I created a rule under each Network allowing IN -> to the Ad-Guard Server. Everything works fine but the Log shows let out anything from firewall host itself instead.

Question is, since I am not logging this rule, is it normal to see this entry in the log?

I believe you might have the in/out option misconfigured. As I understand, you'd like all interfaces to access the Ad-Guard Server. I would think each of those rules would be something like

Code Select Expand

pass, tcp/udp, "[whichever network name] net", [DNS port as configured on your OPNsense setup (typically is 53)], direction would be "OUT"
> since you're wanting to allow traffic [i]from[/i] the firewall and [b]out[/b] perhaps some specific IP for the server but probably not necessary to specify

- This is assuming the AD-guard server is on the "WAN" side of the firewall, you could also just allow to any IP since the traffic is being pushed through that DNS port in OPNsense it doesn't seem like that's too "wide" of an 'allow' funnel.


Again, I'm out on a bit of a limb here with limited knowledge and corrections are most welcome as I want to make sure I have it right as well!