Allowing internet access only?



  • I have some machines set up on OPT1 and I want to allow them access to the internet only.  However, nothing I try seems to work.  If I set the destination to the WAN subnet, that doesn't work.  The only thing I've been able to get to work is allowing access to everything but the LAN subnet.

    What am I doing wrong?



  • The OPT1 rule should allow everything out. The inbound are being blocked by the default rule on the LAN.



  • What are the machines on OPT1 accessing that you don't want them to?



  • create a rule from opt1 to * but change the gateway from default to WAN1_gw



  • @podilarius:

    The OPT1 rule should allow everything out. The inbound are being blocked by the default rule on the LAN.

    Nope.  AFAIK, only LAN has the default rule that allows everything out.  All other interfaces have to be explicitly allowed.

    @gderf:

    What are the machines on OPT1 accessing that you don't want them to?

    I don't want them to have access to LAN or the other OPT interfaces, which they would if I set it to allow any.

    @heper:

    create a rule from opt1 to * but change the gateway from default to WAN1_gw

    Do what?  ???



  • Please post your rules for all interfaces. Once we see those we can perhaps tell you which ones to delete and which new ones to add.



  • If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

    If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

    1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
    2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

    Action: Pass
    Interface: OPT1
    Source: any
    Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
    Destination port range: any/any

    This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.



  • @kmanango:

    If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

    If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

    1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
    2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

    Action: Pass
    Interface: OPT1
    Source: any
    Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
    Destination port range: any/any

    This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.

    Couldn't you also create a rule,  Block, Source=OPT1, Destination=LAN, any Proto, any port? Just asking.



  • @gderf:

    Please post your rules for all interfaces. Once we see those we can perhaps tell you which ones to delete and which new ones to add.

    I have just the default rules in place.  The only one I've added is a PASS from OPT1 to !LAN.  What I want is to have something more along the lines of PASS from OPT1 to WAN, but that doesn't seem to work.



  • @kmanango:

    If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

    If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

    1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
    2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

    Action: Pass
    Interface: OPT1
    Source: any
    Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
    Destination port range: any/any

    This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.

    Interesting.  I'll take a look.


Locked