Firewall rules/orders for dummies

Started by tdalej, December 17, 2025, 08:23:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 17, 2025, 08:23:07 PM
I just upgraded to 25.7.9_7 and adjusting networks afterwards. 

I have separate physical subnets for various purposes.
One I use for all WIFI and a security camera NVR.
I need _one_ camera on  LAN40 to talk to the NVR on LAN40.
I had the Wifi subnet isolated from the other subnets by the 3rd and 4th rule (successfully I thought).
I tried adding the top two rules for any protocol/any port between 192.168.20.70 and 192.168.40.5
I'm missing something because the block tot eh subnet appears to be working, but the rules prior to that do not.
I'm not sure what I'm missing here, but if anyone can explain it to me like I'm a dummy, I'd appreciate it.


                Automatically generated rules    
      IPv4 *    192.168.20.70/24    *    192.168.40.5/24    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/24    *    192.168.20.70/24    *    *    *       Out Rule for Security Camera    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block out to private subnets rule    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block in to private subnets rule    
      IPv4 *    WIFI net    *    *    *    *    *       Default allow WiFi to any rule    
December 17, 2025, 08:38:42 PM #1 Last Edit: December 17, 2025, 08:42:13 PM by chemlud
rule 1 and 2: /32 instead of /24

why OUT rules? normally only IN needed. IN with respect to the interface....
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 17, 2025, 08:40:57 PM #2
If both devices are on LAN40 you do not need any rule.

If they are not and this is just a typo, you need one rule on the interface with the device that initiates the connection. So that depends on if the camera pushes to the recorder of if the recorder pulls from the camera.

Direction: in
Source: device initiating the connection /32 (!)
Destination: target device / 32 (!)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 17, 2025, 09:58:02 PM #3
NVR is on LAN40 and the camera in question is on LAN20.
LAN40 is used for things that I don't want to have access to the other networks.
Putting that one camera on LAN40 would cost another POE injector, and I already have a POE switch in that location on LAN20 ...

I added out and in rule because I need to be able to register the camera to the NVR and it needs bi directional traffic?
The rules right below block all traffic between those networks if I understand them correctly.

changing to /32 from /24 made no difference. 
Do I need to disable and reenable, or reboot?
December 18, 2025, 06:23:32 PM #4
Quote from: tdalej on December 17, 2025, 09:58:02 PMI added out and in rule because I need to be able to register the camera to the NVR and it needs bi directional traffic?
The rules right below block all traffic between those networks if I understand them correctly.


No, read about "stateful firewall".

How about ipv6?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 18, 2025, 07:54:29 PM #5
I have read the opnsense docs on firewall rules.
It says that "When changing rules, sometimes its necessary to reset states to assure the new policies are used for existing traffic. You can do this in Firewall ‣ Diagnostics ‣ States."
I have done that with no change.

This is the current set of rules enabled on the LAN40 interface.
                automatically generated rules:
       IPv6 *    *    *    *    *    *    *    *    Block all IPv6    
      IPv4+6 *    *    *    *    *    *    *    *    Default deny / state violation rule    
      IPv4+6 TCP/UDP    *    0    *    *    *    *    *    block all targeting port 0    
      IPv4+6 TCP/UDP    *    *    *    0    *    *    *    block all targeting port 0    
      IPv4+6 TCP    <sshlockout>    *    (self)    22 (SSH)    *    *    *    sshlockout    
      IPv4+6 TCP    <sshlockout>    *    (self)    443 (HTTPS)    *    *    *    sshlockout    
      IPv4+6 *    <virusprot>    *    *    *    *    *    *    virusprot overload table    
      IPv4 UDP    *    68    255.255.255.255    67    *    *       allow access to DHCP server    
      IPv4+6 UDP    *    68    (self)    67    *    *       allow access to DHCP server    
      IPv4+6 UDP    (self)    67    *    68    *    *       allow access to DHCP server    
      IPv4+6 *    *    *    *    *    *    *    *    let out anything from firewall host itself    
      IPv4+6 *    (ix0)    *    ! WAN net    *    WAN_GW    *    *    let out anything from firewall host itself (force gw)    

               Rules I have added

      IPv4 *    192.168.40.11/32    *    LAN20 net    *    *    *       Out rule for a single host to any internal network   
      IPv4 *    192.168.20.70/32    *    192.168.40.5/32    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/32    *    192.168.20.70/32    *    *    *       Out Rule for Security Camera    
      IPv4 *    LAN40 net    *    LAN20 net,  LAN30 net, LAN50 net    *    *    *       Default block out to private subnets rule    
      IPv4 *    LAN40 net    *    LAN20 net, LAN30 net, LAN50 net    *    *    *       Default block in to private subnets rule    

                 Default created at installation
      IPv4 *    LAN40 net    *    *    *    *    *       Default allow WiFi to any rule


Can anyone clue me in?
What am I missing here?
I have tried only In rules and only Out rules and both.   
Nothing seems to work.


Print
Go Up Pages1
User actions