- Welcome to Home Network Guy Forum.
Home Network Guy Forum
Going beyond the basics of home networking
Recent posts
#61
Tech Discussions / Re: Firewall rules - OPNsense ...
Last post by Home Network Guy - September 07, 2021, 09:56:02 AMThe problem is that the "WAN net" alias does not mean "allow access to the Internet". The Internet essentially consists of all non-private IP addresses (except for a few other specially reserved IP ranges). Your external WAN address is only on 1 network out of billions/trillions on the Internet. That's why when you create rules you essentially need a "allow all" rule near the bottom of your rules which basically is like "allow all other" as in allow all other traffic out to the Internet (and other internal networks if you do not have any blocks in place).
So on the NA interface, you could have something like:
Block NA net to NB net
Allow NA net to any HTTP/HTTPS
So on the NA interface, you could have something like:
Block NA net to NB net
Allow NA net to any HTTP/HTTPS
#62
Troubleshooting / Re: Opnsense content filtering
Last post by Home Network Guy - September 07, 2021, 09:47:17 AMThanks for reporting back! I haven't tried to mess with web proxies especially since it seems like it works best for unencrypted traffic which isn't helpful most of the time since most everything is encrypted. I use Sensei also and it works well especially after they fixed a lot of the netmap issues that caused problems early on (at least with my hardware). I like being able to look at my traffic aggregated and broken down as well as block certain traffic.
#63
Tech Discussions / Firewall rules - OPNsense Fire...
Last post by ejayb9 - September 05, 2021, 12:24:00 AMI went through the cheat sheet, and I don't usually have trouble understanding how to set up rules, but for some reason, I'm struggling with creating HTTP and HTTP pass rules.
I'm using the 4 port Protectli and have configured 2 networks, let's call it NA and NB on separate ports (OPT1 and OPT2). No VLANs (I actually have another question about that, which I'll post in a new thread). I want to block all traffic out on NA so that it cannot access NB, but I do want NA to be able to access HTTP and HTTPS on the WAN. There are 2 machines on NA, and I have aliases for both of them.
Pass rule NA HTTP -> WAN network
Pass rule NA HTTPS -> WAN network
Block rule NA * * * (anything else).
It's not working. Does anyone know what I might be doing wrong?
I'm using the 4 port Protectli and have configured 2 networks, let's call it NA and NB on separate ports (OPT1 and OPT2). No VLANs (I actually have another question about that, which I'll post in a new thread). I want to block all traffic out on NA so that it cannot access NB, but I do want NA to be able to access HTTP and HTTPS on the WAN. There are 2 machines on NA, and I have aliases for both of them.
Pass rule NA HTTP -> WAN network
Pass rule NA HTTPS -> WAN network
Block rule NA * * * (anything else).
It's not working. Does anyone know what I might be doing wrong?
#64
Troubleshooting / Re: Opnsense content filtering
Last post by ejayb9 - September 05, 2021, 12:12:23 AMI wanted to reply to this in case anyone else tries to go down the route of content filtering and using a transparent proxy. It's basically useless. The reason, which I had to learn along the way, is because HTTPS cannot be decrypted, in order for the content to be filtered. I even tried to create a DNS based trust certificate on AWS and Let's Encrypt, but the certs are not updated fast enough to handle requests. So, I went with Sensei. As much as I hate to have to pay for a service, it at least makes things a bit easier to manager and configure. So, in that sense (pun intended), it's worth it.
#65
Proposed Network Designs / Re: Half done - half hoped for...
Last post by JiveTalking - September 04, 2021, 04:50:26 PMThank you, I will try pinging.
I have not experimented because I'm working from an old Windows PC (highest comfort level) to set all of this up and log into control management consoles for now. I know Windows will change my settings on the fly if I ask it to connect to this or that, so I know better not to, but pinging should be safe.
Thank you for all the options and about your aliases article, very cool.
I have not experimented because I'm working from an old Windows PC (highest comfort level) to set all of this up and log into control management consoles for now. I know Windows will change my settings on the fly if I ask it to connect to this or that, so I know better not to, but pinging should be safe.
Thank you for all the options and about your aliases article, very cool.
#66
Proposed Network Designs / Re: Learning Networking by Muc...
Last post by Home Network Guy - September 03, 2021, 10:19:21 PMThanks for providing your proposed network diagram. That helps me visualize what you are trying to do.
I notice that for each "segment" (network) you are creating, you are placing a router in front of it. While that can work to provide each network some access to the other networks where you are plugged into, you don't have to use that approach. It complicates the access between the different networks. It may even require static routes on your routers so traffic can be routed properly between all the networks if you wish to access other devices.
A simpler approach would be to put your ISP modem/router into bridge mode, run a router such as OPNsense (which in write about often) and then create all your networks using your OPNsense router. Since everything is connected to one router, you can manage all the access/firewall rules from a single router (instead of having 3-4 routers). For wireless, you could connect one of your existing routers and put it in AP mode so you can only use its wireless functionality (or your could buy dedicated wireless access points which gives you more freedom where to place it).
If you want to try to make your network function with the hardware you have, you may end up having to use separate routers with separate networks since you don't have equipment to utilize VLANs or a single router like OPNsense. It may require setting up static routes, and I don't know if your routers provide many settings for establishing firewall rules to keep your networks separated and protected while also allowing specific access to various services you have hosted on your network.
I notice that for each "segment" (network) you are creating, you are placing a router in front of it. While that can work to provide each network some access to the other networks where you are plugged into, you don't have to use that approach. It complicates the access between the different networks. It may even require static routes on your routers so traffic can be routed properly between all the networks if you wish to access other devices.
A simpler approach would be to put your ISP modem/router into bridge mode, run a router such as OPNsense (which in write about often) and then create all your networks using your OPNsense router. Since everything is connected to one router, you can manage all the access/firewall rules from a single router (instead of having 3-4 routers). For wireless, you could connect one of your existing routers and put it in AP mode so you can only use its wireless functionality (or your could buy dedicated wireless access points which gives you more freedom where to place it).
If you want to try to make your network function with the hardware you have, you may end up having to use separate routers with separate networks since you don't have equipment to utilize VLANs or a single router like OPNsense. It may require setting up static routes, and I don't know if your routers provide many settings for establishing firewall rules to keep your networks separated and protected while also allowing specific access to various services you have hosted on your network.
#67
Other Random Things / Re: Newbie Q -How to use OPNs ...
Last post by Home Network Guy - September 03, 2021, 09:59:54 PMYou're welcome. I had mine turned off for a while so it doesn't spam the firewall logs. I have it on now and where possible, I tried to update many of my rules to use IPv4+IPv6 so the rule will apply to both protocols because I want essentially the same firewall restrictions for both protocols. It doesn't always work out perfectly because some of my aliases refer to IPv4 only networks or IP addresses so it wouldn't apply to IPv6. However the broader rules which use the predefined network interface addresses should work for both protocols since OPNsense knows both addresses on the interface/network.
#68
Proposed Network Designs / Re: Half done - half hoped for...
Last post by Home Network Guy - September 03, 2021, 09:55:26 PMI wrote about firewall aliases so when you want to dive deeper, you could check it out.
As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:
ping 192.168.1.50
Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren't blocking the device, you'll get a response back. So if you know the device is on the same network, getting a response is ok. If it's not on the same network, you shouldn't get one back.
If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can't access something that's on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.
You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don't get flooded with as many log entries. It's hard to see what's going on if you have a lot of network activity and you don't filter it.
As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:
ping 192.168.1.50
Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren't blocking the device, you'll get a response back. So if you know the device is on the same network, getting a response is ok. If it's not on the same network, you shouldn't get one back.
If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can't access something that's on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.
You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don't get flooded with as many log entries. It's hard to see what's going on if you have a lot of network activity and you don't filter it.
#69
Proposed Network Designs / Re: Learning Networking by Muc...
Last post by codeangler - September 02, 2021, 04:54:36 PMNote, I'm a networking noob ....
1. I may miss use terms (access point vs modem vs wireless router vs ...)
1. I have been told by a coworker to look into "expanding my subnet", but I'm not sure what to read about first.
1. I'm willing to install new OS on either segment 2 or segment 3 modem/router/wifi tools if necessary
1. I may miss use terms (access point vs modem vs wireless router vs ...)
1. I have been told by a coworker to look into "expanding my subnet", but I'm not sure what to read about first.
1. I'm willing to install new OS on either segment 2 or segment 3 modem/router/wifi tools if necessary
#70
Proposed Network Designs / Learning Networking by Mucking...
Last post by codeangler - September 02, 2021, 04:47:24 PM Let's start with the end in mind.
Overview of what I'm trying to solve/answer/improve:
My first time making a networking diagram and this is my attempt.
This is both a current and future state. Questions below about what needs to be modified.
How did I get to this diagram?
1. Segment 1 was quick and simple.
1. a when I'm on the Segment 1 wifi broadcast, the Pi-Hole is handles DNS.
2. Working from home, I found video calls sucked so I built Segment 2
2. a Segment 2 I attempted to just use the AirStation as an Access Point (? may have misused the term) but the couldn't figure get it successful, so I now just switch to a different broadcast network. I get the lower latency and it works fine.
2. b I deployed a Docker container on the Segment 2 running Nginx web server ...
2.b.1 I understand that I can only access localhost from the wifi connection on the AC1750 modem
2.b.2 I don't understand, why -- when I'm on the segment 1-- can't I access the Nginx app via port address ?
Overview of what I'm trying to solve/answer/improve:
- I want to be able to safely / securely host web apps on Ubuntu Server that's accessible from the public internet
- intermediate step would be to just allow segment 1 to access to segment 2
- I want to be able to contribute to an opensource blockchain consensus on an ubuntu server
- future segment 3 has a Kubernetes Pi cluster with control plane and applications web accessible
My first time making a networking diagram and this is my attempt.
This is both a current and future state. Questions below about what needs to be modified.
How did I get to this diagram?
1. Segment 1 was quick and simple.
1. a when I'm on the Segment 1 wifi broadcast, the Pi-Hole is handles DNS.
2. Working from home, I found video calls sucked so I built Segment 2
2. a Segment 2 I attempted to just use the AirStation as an Access Point (? may have misused the term) but the couldn't figure get it successful, so I now just switch to a different broadcast network. I get the lower latency and it works fine.
2. b I deployed a Docker container on the Segment 2 running Nginx web server ...
2.b.1 I understand that I can only access localhost from the wifi connection on the AC1750 modem
2.b.2 I don't understand, why -- when I'm on the segment 1-- can't I access the Nginx app via port address ?