[SOLVED] How can I restrict device to the local network only with one exception?

[comet]

What I would like to know might be common knowledge for some of you, but since I am very new to OPNsense I don't know how to do this.  What I would like to do is restrict access TO and FROM a particular device on the network to the local network only.  I don't want anyone on the Internet to be able to connect to it, which I assume is the default unless you make a specific rule to forward ports to it.  BUT, I also don't want it to be able to make an outgoing connection to anything outside the local network.  So far, is that possible, and if so how would I do that?  The device does have a fixed IP address on the local network.

If that is possible, then the second part is, this device periodically sends a status email to me and therefore it needs to connect to my ISP's mail servers using SMTP.  This is an address of the form smtp.mailserver.com.  So if possible I want it to be able to connect to that one specific address, and that address only.

In other words, I want it to have open access to and from the local network (everything connected to the LAN port), but to basically not know the Internet exists except for the mail server.  How would I do that in OPNsense?  Or is it even possible?  Thanks in advance for any help with this!

[fabian]

P1)

That works - just don't create a firewall rule that passes traffic to it. If you want all other computers in the same network segment to have unrestricted access, you need to add rules like them before them
1.
type: pass
source ip: device
destination: your local network
protocol: any
source port: any
destination port any

2.
type: block
source ip: device
destination: any
protocol: any

P2)
You can use the fqdn as an alias and use that in a pass rule for SMTP for this host as a destination.

[comet]

Thank you.  I assume you are talking about doing this in the Firewall: Rules, LAN tab, correct?  There is already a rule there to pass traffic, the "Default allow LAN to any rule".  So do I assume the rules are checked in top-down order?  If so, wouldn't I want to order the rules this way?

1. pass from the device to the local network
2. pass from the device to the specific external address
3. block all traffic from the device to any - this would block anything not explicitly allowed in the first two rules (I would think).
4. the existing "Default allow LAN to any rule"?

[xinnan]

If on the lan you make rules for your device's IPs in this order, above all other rules, it should be ok.

Allow the device to/from your local/24
Then allow the device all to/from your mail server's IP
Then block all to and from that device's IP.

In this order. 

Finally, the pass all to/from on LAN rule

Its pretty much what you typed above, but remember.  To and From.  Not just one or the other.

If you already figured it out, sorry for the repeat.

[comet]

Its pretty much what you typed above, but remember.  To and From.  Not just one or the other.

Well, now you have just totally lost me. I had assumed that all traffic FROM the internet was blocked by default unless you opened a specific port forwarding rule.  In other words, by default, nobody can just ssh into a machine on your local network even if they somehow have obtained your username and password, as long as you haven't forwarded port 22 to that machine.  That's kind of the whole point of having a firewall, to block all incoming traffic except that which you explicitly allow and forward to a machine on your network, right?

So what am I missing here?  What other kind of "from" traffic would I need to create a rule to block, and how would I create such a rule?  I don't want ANY incoming traffic from the Internet to go to this machine, other than the handshakes with the ISP's SMTP server, but I thought that was the normal condition.

[xinnan]

All traffic on every interface, including the LAN is block, both to and from without rules. 

Take a look at the default LAN rules.  Allow any protocol.  Any Source.  Any Destination. 

You know...   I've never tried port forwarding from the WAN to a LAN with no allow rules on the LAN.

I wonder what that might do?

But yeah - Like you said.  Without added rules, everything starts out totally blocked. 

[chemlud]

If your device on in tha LAN initiates traffic to a device on ANOTHER subnet (might be local, on your router, with different interface, or on the "internet", i.e. via the WAN) a STATE is initiated. This means that for the respective traffic in the opposite direction, no firewall rule is necessary.

LAN-device -> ask site on Internet

Firewall creates STATE

Internet site answer -> goes through to device on LAN (although you have a "BLOCK any any" rule on your WAN interface)

That's why the Sense is called a STATEFULL firewall.

What xinnan wrote is correct, I have it for some machines:

ALLOW port IMAP  source:specific IP  target:any 
ALLOW port SMTP  source:specific IP target:any 
BLOCK any port source: specific IP target:any

ALLOW ANY port source:LAN net target:any

Will allow only email for the specific IP and allow any IPv4 traffic for the rest of the LAN subnet. You can specify more protocols even for the rest of the LAN interface, if you want... ;-)
 

[comet]

All traffic on every interface, including the LAN is block, both to and from without rules. 

Take a look at the default LAN rules.  Allow any protocol.  Any Source.  Any Destination. 

You know...   I've never tried port forwarding from the WAN to a LAN with no allow rules on the LAN.

I wonder what that might do?

But yeah - Like you said.  Without added rules, everything starts out totally blocked.

Okay, thanks for clarifying.  But the default LAN rules are not "Allow any protocol.  Any Source.  Any Destination."  At least they were not when I set this up.  Instead they are the "Default allow LAN to any rule",  which would mean "Allow any protocol.  LAN Net Source.  Any Destination."  There was no default rule allowing all incoming traffic from the Internet, and it wouldn't really make sense to have the type of rule you mentioned, because the incoming packets still would not be directed to any specific device on the network.  For incoming packets it would be like sending a letter to someone in Japan and just putting "Japan" as the address.  The Japanese postal service would have no idea what to do with it, so it wouldn't go anywhere.

[comet]

If your device on in tha LAN initiates traffic to a device on ANOTHER subnet (might be local, on your router, with different interface, or on the "internet", i.e. via the WAN) a STATE is initiated. This means that for the respective traffic in the opposite direction, no firewall rule is necessary.

LAN-device -> ask site on Internet

Firewall creates STATE

Internet site answer -> goes through to device on LAN (although you have a "BLOCK any any" rule on your WAN interface)

That's why the Sense is called a STATEFULL firewall.

What xinnan wrote is correct, I have it for some machines:

ALLOW port IMAP  source:specific IP  target:any 
ALLOW port SMTP  source:specific IP target:any 
BLOCK any port source: specific IP target:any

ALLOW ANY port source:LAN net target:any

Will allow only email for the specific IP and allow any IPv4 traffic for the rest of the LAN subnet. You can specify more protocols even for the rest of the LAN interface, if you want... ;-)
 

Good, thanks. Although in your example you don't appear to be allowing local network traffic, and you are allowing IMAP (which I wouldn't need, since this device only sends mail, it doesn't receive it).  So it is a little different than what I want to do, but at least your example sort of confirms what I was thinking about how this would work after reading fabian's post.  Also your default rule is the same as what I have, so it makes more sense to me.

[chemlud]

There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other.

[comet]

There IS no way to block traffic on the LAN via rules in the firewall. This traffic never reaches the firewall. LAN = LAN = LAN, all devices talk directly to each other.

This is why this stuff is so confusing to me.  I have now received two directly contradictory responses:  fabian's reply above indicated that I do need a rule to allow traffic to other devices on the LAN, now you are in effect saying I don't.

I hate to phrase it this way, but I'd really like to know:  Who is right?

[phoenix]

I hate to phrase it this way, but I'd really like to know:  Who is right?

You do not need any rule for your PCs to talk to each other on the LAN if they are all in the same subnet. All my machines can talk to each other quite happily.

[comet]

Okay, so what I did was this:

Defined the machine I want this to apply these rules to as an alias, using the host IP address (I did this because I decided I actually wanted the same rule to apply to two machines on the network, so using an alias let me specify both).
Defined the mail server as an alias, using the host address of the mail server.  As I noted it is in the form smtp.mailserver.com so I hope that actually works, and that OPNsense can resolve it correctly.

Under Firewall: Rules (LAN tab) made two rules:
An ALLOW rule with the source set to the machine alias, and the destination set to the mail server alias.
A DENY rule with the source set to the machine alias, and the destination set to any.

The above rules are below the Anti-Lockout Rule and before the Default allow LAN to any rule.

I guess I will know if it works if I get the next email it sends. I was still able to access the system from the local network, so I guess you really don't need a specific rule to allow that.  Thanks to all who posted here and helped me understand this!

Edit: It didn't work!  The blocking part worked fine, but sending test emails from the machine in question didn't work.  I finally figured out that I had to use the dotted IPv4 address both in the router alias, and when specifying the mail server on the machine itself.  If I used the smtp.mailserver.com form of the address it didn't work.  Which is weird, because the machine is set to use the DNS server in OPNsense (so, a local address) but for some reason it apparently still couldn't resolve the address.  Yet if I use nslookup (on a different machine) and it goes to OPNsense, it gets the correct IPv4 address with no problem.  Don't get it, but oh well.  I just hope that mail server address doesn't change often.

[Ciprian]

If you want to manage a single host/ IP address with rules regarding also the traffic from LAN (not only WAN), then you have to isolate that host/ IP address to a different broadcast domain (meanining, another LAN - let's say LAN2 - interface with another subnet).

This is the only way to ”force” through OPNsense, for that specific host/ IP address, the traffic from/ to anywhere, LAN1 and WAN.
Otherwise, only WAN (to/ from) traffic for that host will pass through OPNsense, hosts in the same subnet/ broadcast domain will pass through the switch(es) only.

Cheers!

PS Of course this implies, for fine tuning, performance and best practices, either different VLANs configured on the level 2 managed switch(es) and OPNsense for those different internal LANs, or different switches for those different interfaces/ broadcast domains (or that particular host/ IP address directly plugged in another OPNsense NIC). But, if you don't have either of these, then it works even with no different switches/ VLANs/ dedicated NIC on OPNsense, giving the fact that you will have some extra broadcast traffic in your network.

[xinnan]

One thing to keep in mind when making all these rules and assuming that everything on the switch can talk to anything else on the switch is that assuming for instance we are talking about 192.168.1.0/24 and pfsense LAN is maybe 192.168.1.1 and everything else is .2 - .254

The rules you put (or don't put) on the LAN firewall will impact the host's ability to communicate or not communicate with 192.168.1.1, which is pretty important.

But yeah - A dumb switch is a free-for-all, which is not always a bad thing, but can be.