Confused about firewall rules.

Started by thetibetantr, August 27, 2024, 07:57:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 27, 2024, 07:57:44 PM
I am trying to replace an Ipfire router/firewall with OpnSense and I am having  problems with the firewall rules.

At the moment, everything has a static IP and have 4 interfaces: WAN, LAN, DMZ, and WIFI.  My WAN configuration is:

opnsense x.x.x.253 ------ x.x.x.254 comcast

The LAN works as expected.  I am having problems with the WIFI network.  I put 3 rules in the WIFI firewall rules:

Protocol        Source          Port    Destination     Port    Gateway     Schedule                Description
    IPv4 *          WIFI net        *         WAN net            *        *               *
    IPv4 *          WIFI net        *         WIFI net            *         *               *
    IPv4 *          WIFI net        *                 *                *         *               *

With all 3 rules enabled, a host on the WIFI network can access the internet.  If I disable the last rule, a host on the WIFI network can no longer get to the internet.  But, it can ping the WIFI interface, the x.x.x.253 interface, and the x.x.x.254 interface.  It just can't reach anthing beyond the 254 interface.

Any idea what I may have misconfigured?
August 27, 2024, 08:21:08 PM #1
Because WAN net is literally WAN net (your WAN IP and netmask you got from your ISP). That is not internet.
The second rule is completely useless, that traffic will never hit the firewall.
August 27, 2024, 08:56:56 PM #2
x.x.x.254 is defined as the default gateway.  Shouldn't any traffic that is not on any of my local nets automatically go to x.x.x.254?  That is what Ipfire does?
August 27, 2024, 09:02:39 PM #3
Not sure what the question relates to... LAN <=> LAN, WiFi <=> WiFi is handled by switches / APs. Does not hit the the firewall.
For your first rule, you are allowing traffic with destination <your.wan.ip/subnet>. Once again, that is not internet. That is that one subnet. Which may be as small as /32 in some cases. I.e., identical to WAN IP.
August 27, 2024, 09:52:48 PM #4
The question relates to WIFI<==> WAN.  I want hosts on the WIFI to be able to access the internet without being able to access the LAN.  That is what I thought the first rule was supposed to do.  So far, I am only able to have the WIFI hosts access the internet if I enable the thrid rule which allows the WIFI hosts to also access the LAN.
August 27, 2024, 10:04:01 PM #5
The solution is:

Source: Wifi net
Destination: LAN net
Destination invert: check
Action: allow

In plain words: allow Wifi net to access anything but LAN net.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 27, 2024, 10:06:02 PM #6
Quote from: thetibetantr on August 27, 2024, 09:52:48 PM
I want hosts on the WIFI to be able to access the internet without being able to access the LAN.  That is what I thought the first rule was supposed to do.

Put a rule that blocks access to LAN net on your WiFi interface above the last rule you have posted there (WiFi net -> any). Delete the rest.

(This could be condensed to a single rule with inverted destination as noted in the above post, but seeing your confusion, perhaps lets just not do that.)
August 27, 2024, 11:36:03 PM #7
I can see how that would work.  However, it doesn't clear up my confusion.  The first rule:

Protocol        Source          Port    Destination     Port    Gateway     Schedule                Description
    IPv4 *          WIFI net        *         WAN net            *        *               *

should send all non-WIFI net traffic to the WAN interface which has x.x.x.254 as the default route.

root@opnsense:~ # netstat -4rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            50.76.207.254      UGS         em0
50.76.207.248/29   link#1             U           em0
172.16.1.0/24      link#3             U           em2
172.16.1.1         link#5             UHS         lo0
172.16.3.0/24      link#2             U           em1
172.16.3.1         link#5             UHS         lo0

What am I missing?
August 27, 2024, 11:46:04 PM #8
Here is my routing table from ipfire:

[root@ipfire ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         50.76.207.254   0.0.0.0         UG    0      0        0 red0
50.76.207.248   0.0.0.0         255.255.255.248 U     0      0        0 red0
50.76.207.254   0.0.0.0         255.255.255.255 UH    0      0        0 red0
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 blue0
172.16.3.0      0.0.0.0         255.255.255.0   U     0      0        0 green0


The main difference I see is that every interface show the default gateway as the gateway. 

Is there a way to do somethin similar in opnsense?
August 27, 2024, 11:51:26 PM #9 Last Edit: August 27, 2024, 11:54:45 PM by doktornotor
I already explained 3 times that WAN net is your WAN interface subnet. NOT Internet. The routing and GW is absolutely irrelevant. No destination but the WAN Net allowed, the packets will be blocked by firewall. Forget about using WAN net for rules intended to mean Internet.

In the output you posted, 50.76.207.248/29 is the WAN net. And that is all that the rule allows.
Print
Go Up Pages1
User actions