Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Allowing internet access only?

    Firewalling
    6
    10
    8651
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bai Shen last edited by

      I have some machines set up on OPT1 and I want to allow them access to the internet only.  However, nothing I try seems to work.  If I set the destination to the WAN subnet, that doesn't work.  The only thing I've been able to get to work is allowing access to everything but the LAN subnet.

      What am I doing wrong?

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        The OPT1 rule should allow everything out. The inbound are being blocked by the default rule on the LAN.

        1 Reply Last reply Reply Quote 0
        • G
          gderf last edited by

          What are the machines on OPT1 accessing that you don't want them to?

          1 Reply Last reply Reply Quote 0
          • H
            heper last edited by

            create a rule from opt1 to * but change the gateway from default to WAN1_gw

            1 Reply Last reply Reply Quote 0
            • B
              Bai Shen last edited by

              @podilarius:

              The OPT1 rule should allow everything out. The inbound are being blocked by the default rule on the LAN.

              Nope.  AFAIK, only LAN has the default rule that allows everything out.  All other interfaces have to be explicitly allowed.

              @gderf:

              What are the machines on OPT1 accessing that you don't want them to?

              I don't want them to have access to LAN or the other OPT interfaces, which they would if I set it to allow any.

              @heper:

              create a rule from opt1 to * but change the gateway from default to WAN1_gw

              Do what?  ???

              1 Reply Last reply Reply Quote 0
              • G
                gderf last edited by

                Please post your rules for all interfaces. Once we see those we can perhaps tell you which ones to delete and which new ones to add.

                1 Reply Last reply Reply Quote 0
                • K
                  kmanango last edited by

                  If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

                  If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

                  1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
                  2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

                  Action: Pass
                  Interface: OPT1
                  Source: any
                  Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
                  Destination port range: any/any

                  This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.

                  1 Reply Last reply Reply Quote 0
                  • H
                    Highroller last edited by

                    @kmanango:

                    If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

                    If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

                    1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
                    2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

                    Action: Pass
                    Interface: OPT1
                    Source: any
                    Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
                    Destination port range: any/any

                    This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.

                    Couldn't you also create a rule,  Block, Source=OPT1, Destination=LAN, any Proto, any port? Just asking.

                    1 Reply Last reply Reply Quote 0
                    • B
                      Bai Shen last edited by

                      @gderf:

                      Please post your rules for all interfaces. Once we see those we can perhaps tell you which ones to delete and which new ones to add.

                      I have just the default rules in place.  The only one I've added is a PASS from OPT1 to !LAN.  What I want is to have something more along the lines of PASS from OPT1 to WAN, but that doesn't seem to work.

                      1 Reply Last reply Reply Quote 0
                      • B
                        Bai Shen last edited by

                        @kmanango:

                        If I understand correctly, you already have everything working except you don't want OPT1 to be able to access the other networks and only want the traffic to exit the WAN?

                        If so, you should setup a negation rule for the destination.  Do the following (note that this is based on the 2.0 interface):

                        1/ Create a new alias for internal network by going to Firewall->Aliases and create a new alias called "NotOPT1" an include the subnets for the other networks which is not the WAN.  
                        2/ Create a new rule for OPT1 outbound access by going to Filrewall->Rules->OP1 and create a new rule with the following:

                        Action: Pass
                        Interface: OPT1
                        Source: any
                        Destination: Make sure "not" is checked, select the type "single host or alias" and enter the alias "NotOPT1"
                        Destination port range: any/any

                        This rule will basically allow everyone connected on OPT1 network to access only through the WAN and no other interfaces connected.

                        Interesting.  I'll take a look.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post