Why can i access Outbound devices that are on WAN by default? Is this intended?

Started by d39FAPH7, December 29, 2024, 01:42:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2024, 01:42:13 PM Last Edit: December 29, 2024, 01:43:57 PM by d39FAPH7
Hi,
on a fresh 24.7.11_2 install i have the following setup:
ISP-Router with own address 192.168.1.1 and 192.168.1.0/24 Range => WAN Interface on OPNsense set to DHCP. LAN on OPNsense is 192.168.2.0/24

WAN Interface on OPN gets for example 192.168.1.2 from ISP Router and internet connection is working. First strange thing is that this is working although "Block private networks" is checked. Second strange thing is that i can access the ISP Router and it's connected devices on 192.168.1.0/24 without setting up a Outbound NAT Rule manually. Is this intended?

I came across this, because on another OPN i have bridgemodem that bridges me a public IP to WAN when set to DHCP. BUT during boot of this modem until it receives a public IP this modem resides in the same network range (cannot change that) as my OPN which leads to duplicate IP adresses and a network that is completely unresposive/down until the public IP is received and bridged.

thanks
December 29, 2024, 02:03:05 PM #1
Default is anything outbound from LAN is allowed. NAT on WAN is enabled by default for all locally connected networks like e.g. LAN. So that matches your observed behaviour.

Block private is not applied to connections that are initiated from the LAN side.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 29, 2024, 04:02:41 PM #2
thanks for your answer. while it's white convenient to have this functionality by default i think it would be smart to add another block rule that matches your local network range you use on the OPNsense box to avoid duplicate IPs or do i oversee seomthing here?
December 29, 2024, 05:31:51 PM #3
The default is simply

- everything from LAN out permitted and NAted
- everything from WAN in forbidden

That's it. If you use a browser on LAN to access the modem that "from LAN out". Everything on WAN is considered "Internet". Private networks are in no way special.

I am actually not quite sure what the "block private networks" checkbox is supposed to achieve, anyway. Everything from WAN in is forbidden, private or not. I disable all the "magic" implicit settings like "reply-to", "force-gateway" etc. and rely on the routing table and explicit manual rule setup including NAT. But that's me ;)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions