OPNSense Firewall Rules Explained

Поділитися
Вставка
  • Опубліковано 27 гру 2024

КОМЕНТАРІ • 175

  • @HannesDi
    @HannesDi 3 роки тому +70

    99% percent of the videos out there claim to get you started with OPNsense, but what I saw there was just bullshit about downloading and installing, sometimes then they showed the interface but stop at the relevant parts.... "How to use the firewall". This is where your video is gold because it finally explains useful things!
    Thanks for this short but great explanatory video

  • @TimmyNET
    @TimmyNET 2 роки тому +10

    I forget about your channel. You can go watch someone else with a 5 minute video but you will spend 3 hrs filling the gaps left out. Your video instructions are clear and direct. Thank you.

  • @weazel1024
    @weazel1024 2 роки тому +10

    Hands down the best video concerning opnsense rules if found until now. Thank you very much.

  • @SmalltimR
    @SmalltimR Місяць тому +1

    There are so many superficial and useless Opnsense videos out there - this one is not the case!
    - thank-you for posting this, and taking the time to explain things properly

  • @Syrma79
    @Syrma79 Рік тому +2

    I rarely, if ever comment or like a video, but this is one of the best I have seen, and I'm only half way through. Really easy to understand, explained well, and more importantly, shown what the changes do. As others have said, other videos make assumptions on knowledge levels. Great work

  • @rent2ownnz
    @rent2ownnz 2 роки тому +12

    This is by far the best working run through on how the interfaces relate to one another and I learnt some great tricks with moving the rules around as well. Great stuff. I was almost there but since you easily explained how the data is matched to a a top down approach, it makes logical sense and I imagine it as if there was water pouring in from the tip rule and the different filters the data out like different water filters take out the different minerals ... and then you are left with the pure water (DATA) that can freely flow into the system.
    This really helped me diagnose and also get both my NORD VPN rules ordered correctly and my Wire guard up and running as well.... Just understanding that the Lan Interface has the highest hierarchy in the system just below the WAN interface.... lets me look at the LAN interface rules first, then replicated them into each Vlan Subnet that I had created for IoS, Guest, MainLan and VPN Test Vlan. I had all of the RFC1918 Blocking sorted, but now have a solid understanding on where it needs to be in the rule list. Thank you so much for taking the time to explain this in an easy to understand and almost working lab style! FANTASTIC JOB!

  • @SonicNinja6600
    @SonicNinja6600 3 місяці тому +2

    Simple to understand and straight to the point. Thanks for the video.

  • @FunctionGermany
    @FunctionGermany 9 місяців тому +5

    I suggest merging the first "allow internet" and the second "block private ranges" rules together for simplicity.
    Instead of the two, you can make one "pass" rule where you choose "private ranges" as the destination and then INVERT the match.
    This way, the single pass rule allows traffic to all destinations except the private ranges - in other words only the internet.
    As a rule of thumb, avoid drop/reject rules when you can simply make stricter pass rules on top of the default "drop everything" rule.

  • @drdadventures8034
    @drdadventures8034 2 дні тому

    Great job explaining everything, finally a helpful video on firewall rules.

  • @citizenatlrge
    @citizenatlrge Рік тому +1

    The algorithm has done good work tonight! This is exactly what I was thinking of trying to search. No really, I hadn't even searched for this particular info yet, I'm still messing with unrelated things in OPN like monitoring and geoip, but here this is, right on time. Sometimes the algo scares me, but then things like this happen and I'm glad it works sometimes.

  • @Serenuss
    @Serenuss 9 місяців тому

    This is brilliant, thank you for this. Best opnsense video I've seen so far on firewall rules.

  • @klausagnoletti1027
    @klausagnoletti1027 3 роки тому +1

    Great video. Been opnsense user for 5 yrs. But the penny finally dropped on a few of the firewall things after seeing your video. Thanks!

  • @MarcoSerralheiro
    @MarcoSerralheiro 2 роки тому

    I was going nuts because LAN didn't have access to the Internet no matter what I tried. Had no clue that "pfctl -d" would do much more than just enable remote access to the OPNsense interface.
    Thanks a lot!

  • @cohan88
    @cohan88 7 місяців тому

    Saved this beginner hours. Thanks for this simple run-through, just brilliant.

  • @RFGSwiss
    @RFGSwiss 2 роки тому

    this is the only useful opnsense video i found. you picked exactly the right usecases. thanks alot!

  • @fu1r4
    @fu1r4 Рік тому

    19:00 I opened a WAN rule to allow remote connection to OPNsense GUI and i did it in the "Firewall: Rules: WAN" and it is working perfect.

  • @NotACrookNixon
    @NotACrookNixon Рік тому +1

    Excellent video - very clear demonstration and explanation.

  • @mate_starbuck
    @mate_starbuck Рік тому

    You are a very good teacher, thanks for the upload!!!

  • @giovaninavarro
    @giovaninavarro Рік тому +1

    Thanks allot. You explain the rules very easily to me.

  • @DhruvinShah03
    @DhruvinShah03 3 роки тому +1

    Thanks for the video, I had GeoIP blocking going on and also had port forward as well. Still I was seeing some unwanted activity on the machine where I have port forwarded. Then I realized that I need a proper rule sequence.

  • @chuckcorvec3453
    @chuckcorvec3453 5 місяців тому

    This is simply awesome. I am just starting my journey with opnSense. Very straight forward and precise explanation. I have a fair bit of experience with Fortigate and. Watchguard. This is done differently and it takes a bit to wrap one's head around it. Amazing video. I do have one question. On your wan rules for management you use the default ports 80 and 443. I would prefer mine to be something obscure. Is it just a matter of not using HTTPS as the port and using something like 52365

  • @The0Kuki
    @The0Kuki 3 місяці тому

    why is reject private ranges a default rule on most firewalls? how do you do interVLAN routing then? between servers and users for example?

  • @rick5056
    @rick5056 3 роки тому +1

    Very good informative video about opnsense.

  • @greengo123jf
    @greengo123jf 2 роки тому +1

    Thanks so much for your very well explained tutorial. ❤

  • @jrm523
    @jrm523 2 роки тому +1

    Great overview. Thanks for taking the time to create this.

  • @crush_override
    @crush_override 7 місяців тому

    Would blocking Private IPs block my access to OPNsense firewall itself if it is only accessable on my LAN1?

  • @neezy666
    @neezy666 2 роки тому

    thanks for showing all the actually needed information - really helpful!

  • @vmerinom
    @vmerinom Рік тому

    Great video, thank you! Regards from Chile.

  • @fabianaprilliano9152
    @fabianaprilliano9152 Рік тому

    This tutorial is heaven, thank you for the tutorial.

  • @AntapTas
    @AntapTas 5 місяців тому

    Sorry guys, which option does the VM use for the network? Internal network?

  • @64242359
    @64242359 Рік тому

    Help! how do I delete/disable floating rules or default rules?
    [edit] manage to remove the floating in config.xml, still no idea how to delete the default rules.

  • @AgrimGrover
    @AgrimGrover 2 місяці тому

    How to limit the auto-generated rules in opnsense, as my firewall generate at least 16 Lan1, Lan2 rules. but as I see you only have 4 auto-generated rules.

  • @unapologetic7900
    @unapologetic7900 2 роки тому

    Question.... If all my "LAN" interfaces are members of a "Bridge", do I only need these "LAN" Rules applied to the Bridge Interface, not to each LAN Port individually?

  • @alvarorodelo6761
    @alvarorodelo6761 2 роки тому

    how can i add rules to only allow remote desktop (port 3389) from the outside to my lan, but only certain external ips or mac-addresses?

  • @JohnsPrime
    @JohnsPrime Місяць тому

    Anyone know how to make a rule for one local device to use a different gateway? (Say you create a VPN gateway, and you want to send one device out through that VPN)

  • @BrianThomas
    @BrianThomas 2 роки тому +1

    I noticed on the floating rule only TCP traffic for HTTP and HTTPS was chosen. Wouldn't this be TCP/UDP instead of just TCP?

  • @zinkzxd2891
    @zinkzxd2891 Рік тому

    Thank you!! This is what I was looking for!

  • @mikeoreilly4020
    @mikeoreilly4020 3 роки тому +2

    Thank you. Yet another very clear explanation of foundational firewall rules. I'm using pfSense. One question I have is are you trying to isolate all the local networks, including LAN2, by blocking RFC_1918 addresses in LAN1 instead of blocking them in IOT and GUEST?

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      I usually isolate any network, including management, LAN, etc, and then allow access to other networks on "only if necessary" basis :)

    • @mikeoreilly4020
      @mikeoreilly4020 3 роки тому +1

      @@GatewayITTutorials Got it, thanks.

  • @irfancpv3454
    @irfancpv3454 11 місяців тому

    how did you connect both debian with firewall.

  • @jproveta
    @jproveta 3 роки тому +1

    Hi, I'm trying to switch from pfSense to OPNsense, but every time I add a rule on the Firewall the order of the rules changes, everything is out of the order I previously put and recorded, any tips? Thanks

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      Hey, might be a bug in the version you are running.
      Would you mind sharing a short screencap of this issue in our Reddit community? It will be very interesting to look at.

    • @jproveta
      @jproveta 3 роки тому

      @@GatewayITTutorials OK, thanks

  • @PatrickBrodala
    @PatrickBrodala 3 роки тому +1

    Quite good introduction to OPN! Thank you!

  • @BartTech
    @BartTech 3 роки тому +2

    Supurb video, thanks!

  • @DalyGutierrez
    @DalyGutierrez 2 роки тому

    Thanks for the video! Quick question about the "Reject Private Ranges" rule... It's clear that this blocks pinging/access to private IP addresses on OTHER LANs, but it does NOT block pinging/access to another device on the SAME LAN. Is that expected? Thanks!

    • @Chase07450
      @Chase07450 2 роки тому

      this is a good question. Seems to me it WILL block traffic on the same lan, if you don't provide a source ip range.

  • @sairfan06
    @sairfan06 2 роки тому

    I want to schedule particular web site access, can i do it with OpnSense or please advise if need a different firewall, thanks

  • @Kilzu1
    @Kilzu1 3 роки тому +2

    Nice guide. Just a tip for being more organized. In rules creation, category is used to give a name for category that is used to add category filter to firewall rules window.
    If you don't care about category but still want to log rule entries, then you can just give description and it will be shown on logs etc as description.
    If you don't type description, then default description "default allow rule" is used instead.
    Category can be left empty because it's just a filter.

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      Now that I am thinking about it, I may have left an impression, that category is imperative to fill in :D
      But you are right, it isn't, it's just "a nice to have".

  • @aullusp
    @aullusp 3 роки тому +1

    Boa tarde, estou dificuldade de redirecionar a porta 80 para 9081. Meu servidor está na rede interna 10.0.0.131:80 e na porta externa 9081. Não consigo fazer esses direcionamento, poderia me ajudar ? Troquei a porta padrão de acesso ao console para porta 8086 e mesmo assim nao aceita regra.

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      You'll have to repeat that in English my dude, I know a couple of languages, but not that many)

  • @scottjmagee
    @scottjmagee 3 роки тому +2

    Great Video thank you. You mention always using Floating Rules instead of WAN rules as WAN rules are ignored, but this is not my experience, is this something that has been fixed now?

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому

      It might have been, in a recent release. But because I got used to Floating rules, I can't change my ways now)

  • @macster1457
    @macster1457 3 роки тому

    I have SafeSearch enforced on my network through my router, but it's easily bypassed using Firefox Doh. Can this firewall block users from bypassing router rules using Doh?

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому

      There is no point and click solution that will do this for you.
      DOH is a DNS over HTTPs, so unless you have some serious DPI skills, you won't be able to block it on the protocol level.
      On the other hand you could block some of the DOH providers, like:
      1.1.1.1, 9.9.9.9 and so on with a firewall rule. Not an elegant solution, but should work in most cases.

  • @normankraft3306
    @normankraft3306 3 роки тому +1

    Cool Video. Thx for the Tutorial.

  • @adomasbazinys2352
    @adomasbazinys2352 3 роки тому +1

    Maybe you can provide instructions on how to set up an example network like yours in this video?:)

  • @alexgratia9028
    @alexgratia9028 3 роки тому +1

    How did you come up with the IP address for the content? You did not explain How? or Why we need to have those IP addresses in there?

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому

      What IP addresses are you concerned about? I tried to make this video as IP-addressless (if it's even a word, lol) as possible.
      EDIT:
      Wait, do you mean why I added the Alias for private IP ranges? It is to block network access to any internal network you can think of (192.168.0.0/24 is not the only private IP range in the world of IT).
      Here is a Wiki page to extend your knowledge on this:
      en.wikipedia.org/wiki/Private_network

    • @alexgratia9028
      @alexgratia9028 3 роки тому +4

      @@GatewayITTutorialsThank You for your reply........... I would not think that 192.168.0.0/24 is the only IP range in the world. what I am trying to get at is this. I am trying to follow your video to set up my Opnsensen on the firewall. You are not explaining in detail how you came up with the content IP addresses. It appears that you are looking at some secondary notes and typing them into the content field.
      Why do I need an IP address in the content field? How do I, the viewer of your video that has never done this before know what IP address I need to put in? You are not explaining what these sections are.
      I am by far not trying to say that I am not grateful for your videos, but looking at this video left me in the dark. I do get the (Name Field, Aliases are named lists of networks, hosts or ports that can be used as one entity by selecting the alias name in the various supported sections of the firewall. These aliases are particularly useful to condense firewall rules and minimize changes).
      And also I do get (Types Networks, are Networks are specified in Classless(If that is a word) Inter-Domain Routing format (CIDR). Use the correct CIDR mask for each entry. For instance, a /32 specifies a single IPv4 host, or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and /64 specifies a normal IPv6 network. Network type Aliases can contain exclusion hosts or networks. Exclusion addresses starts with “!” sign (eg !192.168.0.0/24) and can be used to exclude hosts or networks from current Alias or Network Group Alias.
      Even the Opnsense document website does not touch on the content section (docs.opnsense.org/manual/aliases.html). I was just hoping you would be able to explain that part. It could also be that I am over thinking that part of the instructions of your video. Thanks

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      You are a bit overthinking :)
      As I said in my previous comment, this alias will allow you to block ANY unauthorised access to ANY internal network that may possibly exist (now or in the future).
      To allow access to the networks you need access to, add "Pass" rule and specify a network or alias just above "Reject PrivateRanges" rule.
      So you could just "blindly" copy the contents of an alias I showed in the video and it will work, I promise)

    • @alexgratia9028
      @alexgratia9028 3 роки тому +1

      @@GatewayITTutorials Thank You......Just to let you I have subscribed when I saw this video. You are the only one with this video explaining how to configure your Opnsense firewall.

  • @almighty2374
    @almighty2374 3 роки тому +5

    Hy I really recommended a video for dns ad blocking pls load up one!

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому

      It's up on the schedule, would be either AdGuard Home vs PiHole, or AdGuard home with OPNSense.
      Let me know what you think is best :)

    • @Maple_Leaf42069
      @Maple_Leaf42069 3 роки тому

      @@GatewayITTutorials I'd be interested in an OPNsense plugin such as AdGuard. I would love to eliminate my PiHole from my network

  • @rockbaoboa9346
    @rockbaoboa9346 Рік тому

    hello! congratulations for the video. I would like to know how to generate a proxy and firewall report in Opnsense? Type, Sarg or Lightsquid

  • @b4ux1t3-tech
    @b4ux1t3-tech 2 роки тому +1

    "I can't think of any reason you'd need WAN rules" in the case that you're not using opnsense as an edge firewall, but rather as an internal firewall. ;)

  • @CSBABAA
    @CSBABAA 3 роки тому

    How can we enable Postfix? i have check in plugin postfix plugin not appearing what to do?

  • @MrBaltoaca
    @MrBaltoaca 3 роки тому

    Thanks for a very useful video!

  • @NiklasRoth-e9r
    @NiklasRoth-e9r 9 місяців тому

    very well huge help thanks a lot !

  • @ZephenHD
    @ZephenHD 7 місяців тому

    Great video

  • @cappercapsen
    @cappercapsen 3 роки тому +2

    OPNsense vs Pfsense?

  • @FHMchaxz
    @FHMchaxz Рік тому

    Hi do you have tutorial on how to block facebook app in phone using OPNsense? Thank you

  • @merlingt1
    @merlingt1 2 роки тому +1

    Thank you!

  • @m.m.m.c.a.k.e
    @m.m.m.c.a.k.e 2 роки тому +1

    Hey! Thank you for your hard work, friend. Top 3, open source firewalls, minimum 1 gigabit throughput, best configurability with ease of use?
    - Also top 3 hardware box which either “flashable” and or dual nic capable low power PC’s? Thank you, kindly. 😊

    • @GatewayITTutorials
      @GatewayITTutorials  2 роки тому +1

      Top 3 OSS firewalls (as a bundle, order doesn't matter):
      - VyOS
      - pfSense/OPNSense
      - OpenWRT
      For the hardware to install them on, have a look at some of the STH videos/posts, like this one:
      www.servethehome.com/inexpensive-4x-2-5gbe-fanless-router-firewall-box-review-intel-j4125-i225-pfsense/

  • @ManojKumar-pt4mx
    @ManojKumar-pt4mx 3 роки тому +1

    Hi how we can block the Mime Types in OPNsense firewall ?

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому

      Hey. OPNSense doesn't check the traffic headers by default, it's not what it was designed to do, and to be honest I hate firewall appliances that do that as a default that you can't turn off, it leads to a lot of problems down the road.
      But there is a way to enable such functionality on OPNSense through a security package Sensei: it has a free version and a paid version.
      Install it, scroll through options, and test it out for yourself. It can block certain mime types, adult websites, malware websites and so on.

  • @aoczon
    @aoczon 3 роки тому

    Can you also do a tutorial for multi wan load balancing and failover thanks

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +1

      Thanks for the suggestion. I'll add it to my videos-to-do list :)

    • @aoczon
      @aoczon 3 роки тому

      @@GatewayITTutorials i think the latest ver has some issues with multi wan.

  • @xwd3914
    @xwd3914 5 місяців тому

    damn this video is gold.

  • @Glatze603
    @Glatze603 2 роки тому +1

    Your first rule (allow internet) is not, what it looks like! Better would be Wan, tcp and http/https only! Your rule allows traffic to the other Lan too. When you create rules, they should be named exactly what they are for.

    • @GatewayITTutorials
      @GatewayITTutorials  2 роки тому +1

      TCP/HTTP is way too strict for a home setup, but naming it "Allow All" may be a better idea indeed. I was just used to the name WAN on my setups. Thanks for you suggestion.

  • @ManojKumar-pt4mx
    @ManojKumar-pt4mx 3 роки тому

    is possible that on not

  • @McMarius11
    @McMarius11 3 роки тому +1

    great video!!!

  • @Takigatita9739
    @Takigatita9739 3 роки тому

    My dear friend, I have learned a lot with your videos. Is possible that you make a video to configuring Postfix email Gateway and RSPAMD please into OpnSense?. 1.000 thanks!

  • @نویدعزیزی-ه3ك
    @نویدعزیزی-ه3ك 7 місяців тому

    thanks

  • @CJRunnalls
    @CJRunnalls 3 роки тому +3

    Please do a video on OPNsense firewalls for example two Xbox one's on the same network playing the same game. I followed Spaceinvader One's pfsense video ( ua-cam.com/video/whGPRC9rQYw/v-deo.html ) but I have OPNsense and still have problems playing the same game on different PCs on the same network, where one will connect and the other gets an error. I believe the error is something to do with port 3074.
    It's just the last bit of Spaceinvader Ones video where he selects PureNAT and OPNsense either doesn't seem to support it or I can't find it. Please help 🙏

    • @GatewayITTutorials
      @GatewayITTutorials  3 роки тому +2

      Hey there, this seems like a NAT issue.
      Please post it in our subreddit, I'll pick it up from there, because I can't make a video on this due to a fact that I don't own gaming console.

  • @RuthThomas-c5u
    @RuthThomas-c5u 3 місяці тому

    Marquardt Stravenue

  • @공정환-n1q
    @공정환-n1q 3 місяці тому

    Carol Plaza

  • @RaneeBehrend-f3g
    @RaneeBehrend-f3g 3 місяці тому

    Berge Gateway

  • @FranklinHiram-v6x
    @FranklinHiram-v6x 3 місяці тому

    Abshire Throughway

  • @TriciaDavis-y2q
    @TriciaDavis-y2q 3 місяці тому

    Turner Prairie

  • @SalvadorMcMahon-o5e
    @SalvadorMcMahon-o5e 3 місяці тому

    Damion Street

  • @CroninLaura-v7l
    @CroninLaura-v7l 3 місяці тому

    Lucienne Square

  • @RobbieComfort-z4j
    @RobbieComfort-z4j 3 місяці тому

    Chet Extension

  • @DarellMathewes-d7t
    @DarellMathewes-d7t 3 місяці тому

    Roberts Mill

  • @SmithDuBois-u9m
    @SmithDuBois-u9m 3 місяці тому

    Rutherford Creek

  • @KatteCora-h4j
    @KatteCora-h4j 3 місяці тому

    Hills Springs

  • @AlcottJacqueline-d9c
    @AlcottJacqueline-d9c 3 місяці тому

    Mylene Well

  • @WillCuritis-n9g
    @WillCuritis-n9g 3 місяці тому

    Liliane Ford

  • @JuliusStrei-f5d
    @JuliusStrei-f5d 3 місяці тому

    Smith Cove

  • @CarrollLeopold-j7m
    @CarrollLeopold-j7m 3 місяці тому

    Conn Underpass

  • @IvelissePhilyaw-c7q
    @IvelissePhilyaw-c7q 3 місяці тому

    Lily Underpass

  • @MarkDavis-k4s
    @MarkDavis-k4s 3 місяці тому

    Albertha Underpass

  • @JeniferMaahs-x6c
    @JeniferMaahs-x6c 3 місяці тому

    Jones Grove

  • @JomilaHak-b4u
    @JomilaHak-b4u 3 місяці тому

    Keebler Ramp

  • @JonathanHamer-v1n
    @JonathanHamer-v1n 3 місяці тому

    Raegan Parkways

  • @AledkHarry-v2u
    @AledkHarry-v2u 3 місяці тому

    Wiza Expressway

  • @NeryLoser-q6v
    @NeryLoser-q6v 3 місяці тому

    Baumbach Loop

  • @DierserLamb-w2n
    @DierserLamb-w2n 3 місяці тому

    Fabian Court

  • @JonsonCandice-v1v
    @JonsonCandice-v1v 3 місяці тому

    Kylee Station

  • @ThompsonConstance-e3d
    @ThompsonConstance-e3d 3 місяці тому

    Rebekah Harbors

  • @FaulknerGavin-l1z
    @FaulknerGavin-l1z 3 місяці тому

    Margarete Rest

  • @JaneHansen-n5d
    @JaneHansen-n5d 3 місяці тому

    Swaniawski Green

  • @FranklinAdair-g2p
    @FranklinAdair-g2p 3 місяці тому

    Edwin Way

  • @PhillipBoyd-o2p
    @PhillipBoyd-o2p 3 місяці тому

    Hettinger Mill