Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Unable to block traffic IN to LAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unable to block traffic IN to LAN (Read 929 times)
squarepantsii
Newbie
Posts: 8
Karma: 0
Unable to block traffic IN to LAN
«
on:
May 23, 2024, 09:31:13 am »
Hi,
I am having trouble with trying to block traffic IN to LAN to a specific public IP (e.g., Blocked_Internet_IP).
The firewall Log Files (Live View) is not showing any traffic when I send the traffic from a LAN host to this blocked IP on port 80, using "telnet Blocked_Internet_IP 80".
Strangely enough, the Firewall Log Files does show this connection OUT to WAN, to this Blocked_Internet_IP on port 80.
Furthermore, if I run a pcap capture (Interfaces -> Diagnostics) on the LAN interface, I can clearly see the traffic being received - which I assume must mean this is an IN traffic to the LAN interface.
I could create Block rules on the Firewall using WAN Interface OUT, but I understand this is not encouraged, therefore I would like to get to the bottom of this.
Thanks in advance for any tips.
Logged
Patrick M. Hausen
Hero Member
Posts: 6935
Karma: 584
Re: Unable to block traffic IN to LAN
«
Reply #1 on:
May 23, 2024, 10:15:57 am »
Please show your rule in detail.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
squarepantsii
Newbie
Posts: 8
Karma: 0
Re: Unable to block traffic IN to LAN
«
Reply #2 on:
May 24, 2024, 07:08:03 am »
Thanks for replying.
I have attached the screenshots (not sure how to make it appear in post!)
This is the LAN rule.
This is the WAN rule.
This is the log files Live View.
Logged
jp0469
Jr. Member
Posts: 60
Karma: 8
Re: Unable to block traffic IN to LAN
«
Reply #3 on:
May 24, 2024, 04:40:09 pm »
It looks like you're trying to block LAN clients from reaching a particular Adguard DNS server? From your 1st screenshot, it appears you put the rule after the "allow all" rules. That's not going to work since the "allow all" rule will be matched first and all following rules ignored. Once you fix that, the 2nd rule you posted is not needed.
Logged
squarepantsii
Newbie
Posts: 8
Karma: 0
Re: Unable to block traffic IN to LAN
«
Reply #4 on:
May 30, 2024, 09:39:58 am »
Hi,
Thank you for the reply. I have been busy with trying to test Wazuh with OPNsense.
As a follow up, I am now using the alias '__wazuh_agent_drop' to effect a firewall block to the same Adguard DNS (94.140.14.14).
I am able to run the Wazuh active response script, which updates this alias to include the IP address 94.140.14.14.
I have attached the automatically generated rules (built-in by OPNsense), which includes the supposedly block rule in the LAN IN interface.
However, this rule is not being triggered. I verified this from the Live View log files. There's no blocking.
If I then test it with a WAN OUT rule that blocks __wazuh_agent_drop, the block is triggered successfully.
Logged
jp0469
Jr. Member
Posts: 60
Karma: 8
Re: Unable to block traffic IN to LAN
«
Reply #5 on:
May 30, 2024, 04:02:56 pm »
It's still not very clear what you're trying to accomplish. Post a screenshot of all rules (excluding the auto ones) on your LAN interface. Just showing the one rule isn't relevant because the order of the rules matters.
Logged
squarepantsii
Newbie
Posts: 8
Karma: 0
Re: Unable to block traffic IN to LAN
«
Reply #6 on:
May 30, 2024, 04:23:33 pm »
I do apologise. I intended to attach 2 pictures previously, but one of them exceeded the max size and it wasn't attached.
I have now re-attached the 2 pictures. These 2 makes up the LAN auto-generated rules, which I understand to precede all other rules. If I understand correctly, all these rules are auto-gen and should be the same across any installation of OPNsense. This alias is auto-gen in *both* LAN and WAN rules, and both are set to block the IN direction.
What I am doing now is - I am using the __wazuh_agent_drop alias to block a particular IP, in this case 94.140.14.14. I have already ascertained that the Adguard IP is in the alias when I am testing the blocking.
What I don't understand is why the blocking does not occur. I don't see any preceding rule (before __wazuh_agent_drop) that triggers before it.
I am connecting a telnet session from a PC on the LAN to the Adguard IP.
Logged
Seimus
Hero Member
Posts: 614
Karma: 60
Re: Unable to block traffic IN to LAN
«
Reply #7 on:
May 30, 2024, 05:16:16 pm »
So you are running all you rules, even the one specific for IN on LAN as floading?
Also did you do purge the state table after implementing that rule?
That Alias, does it have at all any IPs or Subnets loaded? (check in Diagnostic Alias)
Regards,
S.
Logged
Networking is love. You may hate it, but in the end, you always come back to it.
OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G -
VM HA(SOON)
N100 - i226-V | Crucial 16G 4800 DDR5 | S 980 500G -
PROD
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Unable to block traffic IN to LAN