Are all of these DEFAULT DENY Firewall Rules legit or am I misconfogured

Started by fbeye, January 01, 2025, 08:05:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 01, 2025, 08:05:13 PM
I can not say that I really have anything "wrong" on my network in terms of speeds etc, aside from those random 20-30 minute lag sessions even when my bandwidth shows minimal, but I see MANY of these.

If it helps, 172.16.2.1 is the OPNSense LAN IP [And DNS Server [I have adguard and unbound]] and 172.16.2.2 is the Cisco Switch
If I am reading it wrong, 172.16.2.2 is being blocked from accessing 172.16.2.1:53 for DNS or even 8.8.8.8 for DNS?
January 01, 2025, 08:28:23 PM #1
Hard to say if you don't show your firewall rule set on the LAN interface ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 01, 2025, 08:37:39 PM #2
Well, it may look obvious as I do not have a 172.16.2.0/24 LAN Rule, but did not know I would need one... So I only made OUT's for my 6 Networks.



January 01, 2025, 08:43:21 PM #3
If you do not explicitly permit your switch to access OPNsense for DNS requests, the packets match the default deny rule. What else should happen or how do you think these requests should be allowed if there is no rule doing that?

Now if the switch should actually be allowed to perform DNS requests is a matter of your policy, not a technical issue. It tries to do that. There is no rule in place that would permit it. Fairly simple. Everything that is not explicitly allowed is forbidden.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 01, 2025, 08:46:30 PM #4
It makes sense when you explain it that way, I guess I assumed I would not need one cause the Switch 172.16.2.2 is directly connected to the OPNSense LAN 172.16.2.1 so I guess I assumed it would be "approved". But makes sense.
January 01, 2025, 09:21:35 PM #5
The default LAN interface came by default with allow all rules but you can change that.
Check your LAN FW rules.

The fact that the switch is on the same subnet is irrelevant.
What is relevant is the traffic that enters OPN, per interface.

Note that the direction of your rules is 'in' (hover over the blue arrow), from the perspective of OPN.
Defaults rules exist that allow all traffic out. One typically controls what's allowed in.
January 02, 2025, 05:12:29 PM #6
Makes sense.
I was just so focused on IN meaning outside to inside and OUT being inside to outside but not realizing that OPNS Firewall IN means in from any direction LAN or WAN. Once I write it out it's a "duh" moment but then I couldn't see the Forrest through the trees.

I can see how the 172.16.2.0 was being blocked, as I had no LAN rule for it, but does not explain why a LAN ip is being blocked from accessing a destination :443 which is apparently an Amazon site. Only because I have no block rules for anything LAN and do have an explicit LAN rule permitting all of 192.168.2.0/24 (the lan ip blocked) outside so I wanna dig deeper and see why it was blocked. Maybe that ip is on a blacklist or something, I don't know.

January 02, 2025, 09:03:58 PM #7
IN and OUT are from the perspective of the FW.
Your typical DNS request for a client on your LAN will first flow IN the LAN interface (gateway).
Then OUT of the WAN if the DNS server is public (if the DNS server is FW internal, it may also need to make requests OUT).

You have no rules for the 172 subnet. All traffic aimed at the gateway (GW IP or public IP) that's not handled by the automatically generated rule will be dropped.
DNS requests from the switch end up matching the last resort default deny...
The switch does not know how to access a public destination on its own. The default route for a public destination is the gateway for its subnet.
Print
Go Up Pages1
User actions