Firewall Rules Help

[spartanunitato]

I have a couple of IoT devices that I want to block incoming and outgoing WAN access, I am using an alias with MAC addresses because I want to block both ipv4 and ipv6 access.
My rules are setup in this way, but they are not working to block internet access, what is going wrong?

Rule 1:
Action: Block
Interface: LAN
Direction: in
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: IoT (alias)
Destination: Invert LAN net

Rule 2:
Action: Block
Interface: LAN
Direction: in
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: Invert LAN net
Destination: IoT (alias)

I have also moved both rules to the top, but my devices are still getting internet access. What should I change?

[sja1440]

You haven't really given much technical context there.

Anyway, here are a few things to check:

(1) is the MAC alias actually being populated? (look in Firewall: Diagnostics: Aliases)

(2) Have you set the Quick flag on these two rules?

(3) With those rules in place, what happens after you reboot the OPNsense device? (this will of course reset all connection states within the firewall)

(4) What does the firewall log say? Assuming that you have set the Log flag on key rules.

You haven't said but I guess you use NAT to connect to the internet. Correct? If so, then incoming  connections from the internet will not succeed unless you have opened at least one port to your IoT devices. The second rule, for ipv4, would then not be needed. Have you opened any ports?

How do you know that the IoT devices are still communicating with the internet? What sort of traffic is it? Who initiated it? What do you see using  packet capture on the LAN interface (Interfaces: Diagnostics: Packet Capture)?

Edits:
* I guess you meant "out" as the direction on the second rule?
* Rule two would be redundant only for ipv4 if NAT present.

[MoonbeamFrame]

From https://forum.opnsense.org/index.php?topic=2790.0

MAC addresses are not covered by FreeBSD's ipfw(4) and pf(4) packet filters which OPNsense uses. You can, however, use the captive portal functionality to allow access only to specific MAC addresses in the advanced configuration, see "Allowed MAC addresses".

[sja1440]

@MoonbeamFrame they are supported by OPNsense: see for example https://docs.opnsense.org/manual/aliases.html#mac-addresses

I use them myself to block certain ipv6 traffic.

[MoonbeamFrame]

My bad if this has changed.

The quote was from Franco.

[sja1440]

I am sorry but your quote was from 2016.  As I say, I use successfully  MAC aliases.

[spartanunitato]

I managed to resolve the issue by removing rule 2, and changing the destination for rule 1 from invert LAN net to any. However there is a weird issue, whenever I reboot the router, I need to reset state tables for the firewall rules to work properly. What could be a possible issue? The quick flag is set, and my alias is populated.

[sja1440]

By changing "invert LAN" to "any" you move from only blocking connections to outside your LAN to blocking everthing including to your DNS,  NTP etc. services on OPNsense. Not having DNS is certainly going to prevent access to the internet (unless the destinations are hardwired in the IoT devices)

BTW Do your IoT devices use a hub/gateway lying within your LAN? If so, is that MAC contained in the IoT Alias? Does communication to the internet always go through that?

Regarding the need to clear firewall states after a reboot. Maybe this relates to the nature of OPNsense's MAC Aliases: OPNsense obtains the ipv4/ipv6 addresses by periodically (?) checking the arp and ndp tables. Possibly,  your IoT devices are establishing a connection to the internet before the MAC Alias is populated.  In this case the firewall No 1 rule will never fire. Resetting firewall states is not going to clear out the MAC alias, this would explain why a reset after a reboot fixes the problem..

Have you thought about putting the IoT devices on a separate vlan? Would make it a lot easier.

[spartanunitato]

By changing "invert LAN" to "any" you move from only blocking connections to outside your LAN to blocking everthing including to your DNS,  NTP etc. services on OPNsense. Not having DNS is certainly going to prevent access to the internet (unless the destinations are hardwired in the IoT devices)

BTW Do your IoT devices use a hub/gateway lying within your LAN? If so, is that MAC contained in the IoT Alias? Does communication to the internet always go through that?

Regarding the need to clear firewall states after a reboot. Maybe this relates to the nature of OPNsense's MAC Aliases: OPNsense obtains the ipv4/ipv6 addresses by periodically (?) checking the arp and ndp tables. Possibly,  your IoT devices are establishing a connection to the internet before the MAC Alias is populated.  In this case the firewall No 1 rule will never fire. Resetting firewall states is not going to clear out the MAC alias, this would explain why a reset after a reboot fixes the problem..

Have you thought about putting the IoT devices on a separate vlan? Would make it a lot easier.

Ahh I see... thank you for the detailed explanation. My IoT devices connect straight to the internet without a hub, I use them locally with Home Assistant. Moving them to their own VLAN will be the end goal, but right now I use an Asus router as my AP, and that doesn't support VLANs. Once it breaks I will look to switch to Unifi or other products supporting VLAN. Thank you for the help!