[SOLVED] How can I restrict device to the local network only with one exception?

[comet]

If you want to manage a single host/ IP address with rules regarding also the traffic from LAN (not only WAN), then you have to isolate that host/ IP address to a different broadcast domain (meanining, another LAN - let's say LAN2 - interface with another subnet).

This is the only way to ”force” through OPNsense, for that specific host/ IP address, the traffic from/ to anywhere, LAN1 and WAN.
Otherwise, only WAN (to/ from) traffic for that host will pass through OPNsense, hosts in the same subnet/ broadcast domain will pass through the switch(es) only.

Cheers!

PS Of course this implies, for fine tuning, performance and best practices, either different VLANs configured on the level 2 managed switch(es) and OPNsense for those different internal LANs, or different switches for those different interfaces/ broadcast domains (or that particular host/ IP address directly plugged in another OPNsense NIC). But, if you don't have either of these, then it works even with no different switches/ VLANs/ dedicated NIC on OPNsense, giving the fact that you will have some extra broadcast traffic in your network.

Not a single word of that made a bit of sense to me.  But keep in mind, the method described in my previous post works fine except for the fact that the device I'm limiting outgoing access to can't seem to resolve the address of the mailserver.  As long as I use the dotted IPv4 address at both the machine and in my alias, it works.

It just confounds me how so many people who have been using OPNsense far longer than I seem to have such very different ideas of how things work.  Is it really that hard to grasp?

[comet]

One thing to keep in mind when making all these rules and assuming that everything on the switch can talk to anything else on the switch is that assuming for instance we are talking about 192.168.1.0/24 and pfsense LAN is maybe 192.168.1.1 and everything else is .2 - .254

The rules you put (or don't put) on the LAN firewall will impact the host's ability to communicate or not communicate with 192.168.1.1, which is pretty important.

You've just described my setup exactly.  So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)?  I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.

[xinnan]

It is.  But with so much talk of how nothing on the switch needs to be explicitly allowed, just throwing in the reminder not to break connectivity with opnsense LAN by accident.

[chemlud]

You've just described my setup exactly.  So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)?  I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.

Consider your OPNsense kind of "personal firewall" for the LAN port at 192.168.1.1. So if your sense is your DNS server, allow port 53 on 192.168.1.1 from LANnet. Done.

If your DNS server is on another machine on the LAN, which has such a personal firewall enabled, you would need a firewall rule on THIS personal firewall, to reach your DNS server. 

If you run further services for your LAN on the sense, YMMV... ;-)

[comet]

You've just described my setup exactly.  So are you saying I need some additional rule to allow the machine to access the DNS server at 192.168.1.1 (OPNsense)?  I would have thought 192.168.1.1 is considered part of the local network, same as any other machine in the 192.168.1.x range.

Consider your OPNsense kind of "personal firewall" for the LAN port at 192.168.1.1. So if your sense is your DNS server, allow port 53 on 192.168.1.1 from LANnet. Done.

If your DNS server is on another machine on the LAN, which has such a personal firewall enabled, you would need a firewall rule on THIS personal firewall, to reach your DNS server. 

If you run further services for your LAN on the sense, YMMV... ;-)

Ai yi yi... my head is spinning.

The one and only DNS server on the LAN is OPNsense at 192.168.1.1

The machine for which I've blocked outbound communications seems to have no problem communicating with any other machine on the local 192.168.1.x network (which is what I want).  According to you, "There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other."  And phoenix said, "You do not need any rule for your PCs to talk to each other on the LAN if they are all in the same subnet. All my machines can talk to each other quite happily."

192.168.1.1 is in the same subnet as all the other machines, which is the ONLY LAN subnet in this OPNsense installation.  So, if it is as you and phoenix said, then I fail to comprehend why a separate rule would be needed to allow access to the DNS server that is part of OPNsense.

I know you guys are thinking about all the possible implications of having multiple subnets and such but I don't have anything nearly that complicated - for the most part I've just been trying to emulate the operation of a standard off-the-shelf router, but maybe trying to do a couple of extra things if I can get them to work.  I would have thought that this would have been REALLY SIMPLE but now it has turned into a two page thread with a lot of conflicting information, and posts I don't understand at all.

I'm beginning to think no one really understands OPNsense, and we are all just guessing and making it up as we go along?

So anyway, to be clear, I have ONLY ONE LAN subnet, in the 192.168.1.x range.  And my only question now is, if it is impossible to keep devices in the same subnet from communicating with each other using the OPNsense firewall, then why would any machine on the LAN not be able to access the OPNsense DNS server at 192.168.1.1?

[xinnan]

Well, lets say you have 10 devices on the lan switch and opnsense is one of them.

The opnsense is usually providing DHCP services for all the devices on that lan switch. 

So lets say you start thinking "Why do I even need this default allow rule?".  So you delete it.

Suddenly no device on the lan switch has access to the dhcp service and they are not allocated IPs.

They also get their DNS from the opnsense LAN by default...   But without that default allow rule they can't. 

So, can all the devices on the LAN switch talk to each other no matter what you do with the opnsense firewall rules?

Sure - But you usually need services on the opnsense, and thus you need at least the default rule.

So, even though you can't keep 10 devices on a dumb lan switch from communicating with firewall rules on the LAN so that DNS is broken, DHCP is broken, etc etc. 

So, just be sure to always allow every client access to all the services you need that run on the opnsense. 

Reading your initial question, to me, it sounds like you just need a couple of simple rules applied to the lan firewall for one single IP.  Doesn't need to be to complicated.

[comet]

Well, lets say you have 10 devices on the lan switch and opnsense is one of them.

The opnsense is usually providing DHCP services for all the devices on that lan switch. 

So lets say you start thinking "Why do I even need this default allow rule?".  So you delete it.

WHAT default allow rule are you talking about?  I am aware of no specific default allow rule for DNS, and if you are talking about the default allow LAN to any rule, if I understand correctly deleting that would completely disable your ability to access the Internet.

Suddenly no device on the lan switch has access to the dhcp service and they are not allocated IPs.

They also get their DNS from the opnsense LAN by default...   But without that default allow rule they can't.

Again, I am not sure what default allow rule you are talking about.

So, can all the devices on the LAN switch talk to each other no matter what you do with the opnsense firewall rules?

Sure - But you usually need services on the opnsense, and thus you need at least the default rule.

I know I am sounding like a broken record here, but again, WHAT default rule?

So, even though you can't keep 10 devices on a dumb lan switch from communicating with firewall rules on the LAN so that DNS is broken, DHCP is broken, etc etc. 

So, just be sure to always allow every client access to all the services you need that run on the opnsense. 

Reading your initial question, to me, it sounds like you just need a couple of simple rules applied to the lan firewall for one single IP.  Doesn't need to be to complicated.

Okay, so I have explained that under Firewall: Rules (LAN tab) I made two rules:
An ALLOW rule with the source set to the machine alias, and the destination set to the mail server alias.
A DENY rule with the source set to the machine alias, and the destination set to any.

So you are saying I need another rule like this under the Firewall: Rules (LAN tab), perhaps one that looks like this?

Action: Pass
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4    
Protocol: TCP/UDP
Source / Invert: (unchecked)
Source: The alias of the machine in question
Source port range: from: DNS to: DNS
Destination / Invert: (unchecked)
Destination: Single host or network: 192.168.1.1/32
Destination port range: from: DNS to: DNS

Nothing else changed except maybe adding a Description.  Does that look correct?

The only other thing I am not sure about is under Advanced features there is a Gateway option, it is set to default.  If I created this rule I wonder if that would cause a problem by trying to send the DNS requests to 192.168.1.1 out on the Internet (which would obviously fail).  But none of the other options in that dropdown look right either.

[comet]

Well, I wound up doing an end run around the email problem.  Rather than fight with OPNsense to find a rule that would allow the outgoing email to pass, I remembered that one of this systems on my network is running exim4 just so it can send outbound mail.  With only a couple of small changes to its configuration file, exim4 can act as an outgoing mail relay for other machines on the local network.  So, I now have the blocked machine send email to the system running exim4, and it in turn passes it along to the ISP mail server.  Works great.

Also realized that the blocked machine couldn't get to a timeserver despite the fact that it was pointed at the built-in timeserver in OPNsense, so I set up ntp on one of the local machines on the network; it gets the time from the router (and a fallback server) and then the blocked machine gets the time from it.

It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network.  But sometimes it's just easier to work around the problem than to spend any more time trying to figure it out.

[Ciprian]

It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network.

The FW rule can and will ALWAYS restrict communication between ALL devices on the local network - if set so, of course - but only when that specific traffic passes through the FW; and since the switch in your network acts as a direct intermediator between those devices in the local network, and since the switch does not have any permit/ deny rules of itself, at FW level you cannot block traffic between devices in the same broadcast domain (aka local network): that traffic does not get to, and is not seen by, the FW.

Put it in other words, the same idea states that for a successful and full communication in the same network, between devices in the same broadcast domain, you don't even need a GW IP address (which most of the time is the FW IP address) being set on those devices, you only need to set, on every device, the IP addresses of that device and the correct SubNet Mask for that local network/ broadcast domain. Voila, it works, full and successful communication between any device and every device.

Hope it's clear now!

[comet]

So the traffic is not blocked only because the switch is intercepting it and it's never getting to the router?  That's interesting.

At this point the only outbound rule that I have added is this:

Action: Block
Disabled: (unchecked)
Interface: LAN
TCP/IP Version: IPv4   
Protocol: any
Source / Invert: (unchecked)
Source: The alias of the machine in question
(No advanced source settings used)
Destination / Invert: (unchecked)    <----- Should be checked
Destination: Single host or network: any    <----- Should be "LAN Net"
Destination port range: from: any to: any

(EDIT:  For the benefit of anyone reading this thread at a later date, what should be changed is shown in bold above. See hutiucip's reply #32 in this thread for the explanation. End of edit.)

This effectively blocks everything but also blocks all traffic to the router itself.  I think it is the Destination setting that has me confused, and of course that is the only one with no help available.  Setting it to "any" may be wrong, and my first thought is that maybe "WAN net" or "WAN address" might have been the more correct choice, but I am not sure of that.  My only choices there are "Single host or network", my various pre-defined aliases, and the following: "any", "This Firewall", "LAN Net", "LAN Address", "WAN Net", or "WAN Address".  What I am not clear on is the distinction between "WAN Net" and "WAN Address".  My original goal was to block ALL outbound traffic to the Internet except for traffic to a mail server, however I wasn't trying to block local traffic (to and from other machines on the local network) nor to the router itself.

(EDIT:  For the benefit of anyone reading this thread at a later date, I will try to save you from having to wade through the rest of this thread to get an answer to this.  If I am understanding correctly from the posts that follow this one, WAN Net is the network that the WAN port is connected to.  It is NOT the Internet.  As an example, if your home router running OPNsense is directly connected to a cable modem via the WAN port, then the only two devices on the WAN Net are your cable modem and your router.  Typically the WAN Net will use addresses that are neither on the Internet nor part of your LAN.  For example, your LAN may use addresses in the 192.168.1.x range, but your cable modem might be accessible as 192.168.10.1 - in that case 192.168.10.x would be your WAN Network, and for many home users the only things on the WAN Net would be the cable or DSL modem, and the router running OPNSense.  As for WAN Address, that would be the address of the router running OPNSense as seen on the WAN port - for example if the cable modem is 192.168.10.1, it might assign an address of 192.168.10.2 to the router.  In that case 192.168.10.2 would be the "WAN Address" and both 192.168.10.1 and 192.168.10.2 would be on the WAN Net, but neither of those (neither "WAN Net" nor "WAN Address") includes addresses on the Internet as a whole.  Note that more complex configurations are possible; here I am only talking about the situation where the cable or DSL modem is connected directly to the router's WAN port via a single direct cable, as would be the case in many home installations.  And again, this assumes that I have finally understood all this, which I do not guarantee.  End of edit.)

Rather than try and guess what the correct setting should be, I just used the workarounds in my previous post.  But it would be really helpful if there could be some help text for the Destination setting - those choices may seem obvious to experienced users but if it's not a choice that says "all Internet traffic" then it's not obvious to me, especially when there are two different WAN choices.  Yes, I want to block all traffic to the WAN Net, but yes, I also want to block all traffic to all WAN addresses, so which do I choose?  Using the "any" choice removes the ambiguity (and also assures me that nothing is leaking to the Internet), but has the unintended consequence that the devices cannot communicate with the local DNS or NTP servers in OPNsense.

[Ciprian]

Hey, c'mon!...

No offense, comet, but it's nobody's fault you are reading "any", and interpret "any, but not...". Also, I guess nobody could have thought "Well, maybe there will be a few people among millions that will have a different interpretation of 'any', so I should explain 'any' better!". (sorry for being ironical, but I couldn't help myself, the context is too funny ).

Regarding the difference between WAN net and WAN address, it's the same as for LAN net and LAN address: WAN net means the network segment/ broadcast domain corresponding to the WAN interface, ISP devices included - usually, your WAN GW only, since most ISPs offer a public IP address (that WAN address) in a /30 network range (that WAN net). But it is useful to have them that way for cases like, as an example, when the firewall is not the one and only firewall in the network, and maybe WAN on a particular firewall is on another internal network. It helps to isolate traffic for specific network devices to a specific internal network, or perimeter network, through WAN, and you want to cut the traffic at the internal (first/ closest) firewall level, and not loading all other network devices, only to be discarded at external (last/ most distant) firewall level - network load and flow optimization.

Yes, I want to block all traffic to the WAN Net, but yes, I also want to block all traffic to all WAN addresses, so which do I choose?  Using the "any" choice removes the ambiguity (and also assures me that nothing is leaking to the Internet), but has the unintended consequence that the devices cannot communicate with the local DNS or NTP servers in OPNsense

You are trying to get something nobody has: a FW setup with one single rule to fit everything - for what you say, blocking everything, but not a specific proto/ port, you have the option of one permit rule for NTP (or DNS, or etc.), followed by one block rule, for any. And this is the approach the industry had for decades.

Hope it's clear now.
Cheers!

[comet]

hutiucip,

Well, besides being insulting in your first paragraph, you might as well have saved yourself the trouble of typing that response, because you've totally lost me again. Your reply contains so much jargon that I don't understand a word of it.

No offense, but you obviously spend too much time around networking people and don't have the foggiest clue how to talk to a user that hasn't taken a college course in networking.  If obfuscation was your goal, you have achieved it!

Really, I had ONE question - if "any" isn't the correct choice for the destination, then which would be better, out of all the possible choices (I would guess either WAN net or WAN address, but between those two I still have no idea which) - and you completely blew around that and went into a long technical explanation that made not a bit of sense to me.  By the way I had used "any" in the first place because fabian had recommended that in his reply to me (Reply #1 in this thread); I didn't just pull it out of thin air.

Is OPNsense only supposed to be used by networking gurus, and not by people who just want a better router in their homes than what they can buy off the shelf?  Sometimes, I wonder, given the effort some people seem to make to avoid posting clear answers to what should be simple questions.

If I sound ticked off, I am a little bit, given that you found my confusion so funny, and then apparently made an effort to post a reply that would only serve to 1) insult me and 2) confuse me more.  It's not at all funny when you don't understand, even if the answer may be obvious to anyone else.

[franco]

Hello,

I don't care about the topic at this point, but I care about the fact that comet seems to find himself / herself in heated discussions on multiple occasions. I wish this would have been more relaxed by now, but it is not.

For the sake of a friendly and motivating community I would like to ask everyone here to ponder about why they come here and ask for assistance, help people, learn something or if time is better spent elsewhere.

This cannot continue forever.


Cheers,
Franco

[xinnan]

Opnsense has many options which require a certain level of networking competence.  Not everyone will get it right away. Patience is probably more important than intelligence when dealing with solutions like opnsense, so just take what is offered and try to absorb.  No one is trying to kick you in the teeth.  Relax and ponder what is offered.

[comet]

franco, I sent you a PM.

Basically, I have just one question at this point, if anyone cares enough to type a useful two-word answer:  Should I have used something other than "any" (which is what franco had told me to use), specifically "WAN Net" or "WAN Address", as the destination, in order to block access to the Internet but still allow access to services in OPNsense?  And if so, and this is the most important question, which of those two would be the better choice?  This is a very simple setup, one WAN port that connects to a cable modem and one LAN port that connects to a switch.  No additional WAN or LAN networks beyond that; I wouldn't know how.

Now, if someone can explain the difference between "WAN Net" and "WAN Address" without resorting to jargon or esoteric concepts that would fly right over my head, I would very much appreciate it, but really I just need to know which is the correct choice, "WAN Net" or "WAN Address".

It's like if I were asking someone how to fry an egg.  I don't need to know the history of eggs, nor the different breeds of chickens, nor what type of chicken feed produces the best eggs.  Nor do I need an explanation that involves using kitchen utensils I've never heard of before in my life.  None of that would be the slightest bit helpful to me, and I'd probably walk away hungry.

I'd also ask people to remember that there was a time you didn't know any of this stuff either.  You probably asked questions and learned from the answers, but only if the person explaining could do it at the level you were at.  A child learning multiplication is not going to learn a thing from someone explaining calculus.  And, you probably didn't learn much if someone tried to make you feel stupid for asking questions (I had an 8th grade algebra teacher that did that, and to this day I do not know algebra).