Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opnsense ignoring Firewall Rules and aliases and general quriks #58

Open
MrCybertux opened this issue May 17, 2024 · 1 comment
Open

Opnsense ignoring Firewall Rules and aliases and general quriks #58

MrCybertux opened this issue May 17, 2024 · 1 comment

Comments

@MrCybertux
Copy link

Hi,

Sorry to say but the opnsense we were seting up did not work as expected in any sense.
We wanted to setup a high availabilty setup for a customer witch needs a VPN to connect to his payment providers.
We noticed the following problems:

On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI

Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active

We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined

So of three wanted functions Routing, Firewalling and VPN gateway only routing worked correctly i would say this project is still in beta and not production ready
@Welasco
Copy link
Collaborator

Welasco commented May 18, 2024

@MrCybertux, Let's see if I can address your questions here:

  1. On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI
    A: I need more information to understand what you have tried to do but it's totally possible to block access to the OPNSense Admin GUI using a firewall rule. By default we create a rule allowing access from the WAN Interface for people using it for Labs. For a production environment I would remove this rule and setup to only allow access from a possible management interface. You could create either a rule on each interface or a Floating rule to restrict the access.

  2. Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active
    A: If you mean Alias using URLs this is a OPNSense feature which try to resolve all the IPs for a give FQDN and cache it and dynamically use the IPs found from a DNS query in the desired rule. If the DNS is failing to resolve you might have problems with it. Reference: https://docs.opnsense.org/manual/aliases.html

  3. We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined
    A: If you are using Active-Active option you might have to check both firewalls. I never saw this condition.

For Active-Active scenario there are a bunch of limitations in OPNSense where it only syncs the Memory State Table from the Active Node to the Passive Node if a connect is initiated in the Passive Server the Active one will never be aware of it. It causes asymmetry in traffic. If you are considering OPNSense in a production environment with HA you should be using Active/Passive solution and come up with a solution to auto change the UDR in Azure in case of a outage in the Primary Server.

For production environment I would highly recommend the OPNSense official deployment option. Reference: https://docs.opnsense.org/manual/how-tos/installazure.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Welasco @MrCybertux