Welcome to the Home Network Guy forum!

Main Menu

Firewall rules - OPNsense Firewall Rule "Cheat Sheet"

Started by ejayb9, September 05, 2021, 12:24:00 AM

Previous topic - Next topic


I went through the cheat sheet, and I don't usually have trouble understanding how to set up rules, but for some reason, I'm struggling with creating HTTP and HTTP pass rules.

I'm using the 4 port Protectli and have configured 2 networks, let's call it NA and NB on separate ports (OPT1 and OPT2).  No VLANs (I actually have another question about that, which I'll post in a new thread). I want to block all traffic out on NA so that it cannot access NB, but I do want NA to be able to access HTTP and HTTPS on the WAN. There are 2 machines on NA, and I have aliases for both of them.

Pass rule NA HTTP -> WAN network
Pass rule NA HTTPS -> WAN network
Block rule NA * * * (anything else).

It's not working. Does anyone know what I might be doing wrong?

Home Network Guy

The problem is that the "WAN net" alias does not mean "allow access to the Internet". The Internet essentially consists of all non-private IP addresses (except for a few other specially reserved IP ranges). Your external WAN address is only on 1 network out of billions/trillions on the Internet. That's why when you create rules you essentially need a "allow all" rule near the bottom of your rules which basically is like "allow all other" as in allow all other traffic out to the Internet (and other internal networks if you do not have any blocks in place).

So on the NA interface, you could have something like:

Block NA net to NB net
Allow NA net to any HTTP/HTTPS