Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Please help with basic firewall configuration
« previous
next »
Print
Pages: [
1
]
Author
Topic: Please help with basic firewall configuration (Read 4793 times)
mimo
Newbie
Posts: 8
Karma: 0
Please help with basic firewall configuration
«
on:
September 27, 2017, 10:37:22 pm »
I've been struggling with setting up some basic firewall rules for hours now. It looks like everything I try is ignored. I have created a WAN interface and multiple LAN interfaces. Routing should be done from every LAN to the WAN, but not between the LANs.
I tried to disable ALL firewall rules on EVERY interface and even added a generic "block everything" rule on one LAN. But I can still send ICMP requests and reach an HTTP server on this LAN from another LAN. The only way I found working was to remove the interface's IP address of the LAN with the HTTP server - so the traffic is definitely flowing through OPNsense.
What is going wrong here? Do you have to explicitly enable the firewall somewhere?
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Please help with basic firewall configuration
«
Reply #1 on:
September 28, 2017, 08:14:23 am »
Can you give more details on your setup? Do you use VLAN separation or separate L2 infrastructure?
Bart...
Logged
mimo
Newbie
Posts: 8
Karma: 0
Re: Please help with basic firewall configuration
«
Reply #2 on:
September 28, 2017, 10:12:03 am »
OPNsense is running on Hyper-V 2012. The physical server is connected to the switch via 3 NICs, Teaming is enabled in Hyper-V. The team NIC is assigned to the OPNsense VM with trunking enabled, VLAN separation is done by OPNsense.
I installed OPNsense 16.7 a year ago, did just the basic configuration and added the VLANs, then added "allow everything" firewall rules on each VLAN. It has been running since then, I just did all the upgrades from time to time. Now I'm trying to make the "allow everything" rules a bit more secure...
Logged
NilsS
Full Member
Posts: 176
Karma: 19
Re: Please help with basic firewall configuration
«
Reply #3 on:
September 28, 2017, 02:48:58 pm »
create an alias LOCALNETWORKS with all your local networks inside.
change the allow rules to destination NOT LOCALNETWORKS
Logged
mimo
Newbie
Posts: 8
Karma: 0
Re: Please help with basic firewall configuration
«
Reply #4 on:
September 28, 2017, 09:11:15 pm »
After some more hours of digging and finally setting up another complete environment with different hardware, I was able to track this down: It was working all the time, all I had to do was clear the state table.
I always started by accessing the second LAN, then adding a blocking rule and expecting access to be lost immediately. Connections that are already established are not touched by new firewall rules. Although perfectly valid, this behavior is quite unintuitive - especially if your old firewall was stateless.
Maybe you could add a hint to this somewhere in the GUI to save other people from these hours of frustration?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Please help with basic firewall configuration
