Please help with basic firewall configuration

Started by mimo, September 27, 2017, 10:37:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 27, 2017, 10:37:22 PM
I've been struggling with setting up some basic firewall rules for hours now. It looks like everything I try is ignored. I have created a WAN interface and multiple LAN interfaces. Routing should be done from every LAN to the WAN, but not between the LANs.

I tried to disable ALL firewall rules on EVERY interface and even added a generic "block everything" rule on one LAN. But I can still send ICMP requests and reach an HTTP server on this LAN from another LAN. The only way I found working was to remove the interface's IP address of the LAN with the HTTP server - so the traffic is definitely flowing through OPNsense.

What is going wrong here? Do you have to explicitly enable the firewall somewhere?
September 28, 2017, 08:14:23 AM #1
Can you give more details on your setup? Do you use VLAN separation or separate L2 infrastructure?

Bart...
September 28, 2017, 10:12:03 AM #2
OPNsense is running on Hyper-V 2012. The physical server is connected to the switch via 3 NICs, Teaming is enabled in Hyper-V. The team NIC is assigned to the OPNsense VM with trunking enabled, VLAN separation is done by OPNsense.

I installed OPNsense 16.7 a year ago, did just the basic configuration and added the VLANs, then added "allow everything" firewall rules on each VLAN. It has been running since then, I just did all the upgrades from time to time. Now I'm trying to make the "allow everything" rules a bit more secure...
September 28, 2017, 02:48:58 PM #3
create an alias LOCALNETWORKS with all your local networks inside.

change the allow rules to destination NOT LOCALNETWORKS

September 28, 2017, 09:11:15 PM #4
After some more hours of digging and finally setting up another complete environment with different hardware, I was able to track this down: It was working all the time, all I had to do was clear the state table.  >:(

I always started by accessing the second LAN, then adding a blocking rule and expecting access to be lost immediately. Connections that are already established are not touched by new firewall rules. Although perfectly valid, this behavior is quite unintuitive - especially if your old firewall was stateless.

Maybe you could add a hint to this somewhere in the GUI to save other people from these hours of frustration?
Print
Go Up Pages1
User actions