Help with what I did wrong in this firewall setting

Started by Plus0974, Today at 07:27:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 07:27:13 AM
I created a vlan network for my home server which is meant to not allow devices on it to access the internet. After creating the no internet access firewall rule I then created a second rule to allow devices from my regular LAN network to access it on top of the block access rule but it doesn't seem to be working. Below are screenshots of the Pass and Block firewall rules. mediaserver is the new network with no internet access for the devices virtual machine servers that will be in it. I'll put this in here if it matters as well but so far I've only put a Home Assistant virtual machine in here and set the gateway and domain as 192.168.6.1 since the mediaserver vlan does use that as the gateway and I set the static IP as 192.168.6.2 and left the netmask at the default 255.255.255.0. This was done in the Home assistant settings since I was able to set it in there.
Today at 08:54:57 AM #1 Last Edit: Today at 09:00:37 AM by meyergru
The first rule is an "in" rule for your mediaserver interface, yet it applies only to source adresses in the LAN network, so it probably never applies. More often than not, you will specify either the interface network or even "any" as source address. Remember, the source adresses will probably be from the interface network range - but that is implicitely given by the fact that the interface they arrive on is specified anyway.

The second rule blocks anything from the mediaserver interface to anywhere. If there is no preceeding rule, it will block any traffic passing the firewall.

Essentially, these rules would allow only level 2 traffic on the mediaserver network that does not pass the firewall. Also, order is usually important (well, not if the rules do not work out, such as these).

You should familiarize yourself with the basic concepts of OpnSense firewalling, especially with how rules are applied (packets going "in" on an interface), rule precedence and network coverage. If you want to block access to "the internet" (which is destination "any"), you may still need rules preceeding the block rule that in turn allow your other VLANs (like allow to "RFC1918").

If you want to analyse what really happens, just imagine a packet with source and destination adresses and ports and apply the set rules in order.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Print
Go Up Pages1
User actions