Skip to main content

How to Configure OPNsense Firewall Rules?

OPNsense is a HardenedBSD-based firewall and routing platform that is open source, easy to use, and easy to build. It is becoming more widespread especially among the home networks and small businesses. Because it is secure, reliable, simple to use, and managed with an intuitive web user interface and one of the best open source firewalls.

In addition the its effective L4 packet filtering and routing features, OPNsense also provides next-generation firewall capabilities such as web control and application control.

Sensei (ZENARMOR) one of the best OPNsense plugins shines with its powerful packet inspection engine and enterprise-grade network security feature extending the capabilities of the OPNsense firewall. OPNsense and Sensei(ZENARMOR) plugin together are an ideal network security solution for both small business and home networks, since they provide efficient features like application control, web content filtering, intrusion prevention, and cloud-delivered threat intelligence.

In this article, we will cover the basics of packet filtering configuration of OPNsense firewall shortly and explain how packet filtering firewall rules are configured with simple examples for new OPNsense firewall users.

note

After configuring the packet filtering on the OPNSense firewall, we strongly recommend to install and configure the Sensei (ZENARMOR) plugin. Then, you may start to enjoy the next-generation firewall capabilities by configuring the Sensei (ZENARMOR) policies.

How does OPNsense Firewall Work?#

Basic terms of the OPNsense firewall and how OPNsense firewall works are described below briefly.

Rules#

OPNsense includes a stateful packet filter that can be used to deny or allow network packets from and/or to specific networks, as well as influence how a packet is forwarded.

OPNsense firewall rules are the policies that apply to your network, organized by an interface.

Some components and basics of a firewall rule are explained below.

Actions#

Rules can be assigned to one of three types of actions:

Pass: Allow traffic

Block: Deny traffic without informing the client that it has been dropped (which is usually recommended for untrusted networks)

Reject: Deny traffic and notify the client. (Only TCP and UDP support rejecting packets, which results in an RST in the case of TCP and an ICMP UNREACHABLE in the case of UDP.)

info

When access is denied on internal networks, it may be more practical to use reject so that the client does not have to wait for a time-out.

If a packet is received from untrusted networks, it is not recommended to communicate back if traffic is not permitted.

Allow All Rule#

After installing the OPNsense firewall and configuring its LAN/WAN interfaces, it automatically creates a web administration anti-lockout rule and a allow all rule for IPv4 and IPv6. These rules prevent you from locking yourself out of OPNsense web UI and provide LAN with unrestricted Internet access. When a device is plugged directly into the router (or a switch connected to the router), and it will access the internet or the network behind the OPNsense.

If the allow all rule is deleted or disabled, all traffic to the Internet and other local networks behind the firewall will be blocked, except for access to the OPNsense web administration interface.

Although the anti-lockout rule is a practical solution, since generally there would not be any threat from the internal home network, it is not advisable for organization networks. Because the anti-lockout rule allows any device to access the management interfaces of the OPNsense firewall such as SSH console and Web GUI. This rule brings huge IT security gaps and may cause critical data leakage in a company network. Therefore it should be disabled and another allow rule should be defined for firewall management. In the next section, we will create a rule to allow firewall administrators to access their firewalls as an example.

To see the default rules on OPNsense Firewall Web UI,

  1. Navigate to the Firewall -> Rules -> LAN.
  2. Click drop-down menu icon on the Automatically generated rules line at the top of the rule list.

Default Anti-lockout and `allow LAN to any` rules on OPNsense firewall

Figure 1. Default Anti-lockout and allow LAN to any rules on OPNsense firewall

How Does OPNsense Process the Rules?#

Firewall rules are evaluated in order, beginning with the Floating rules section, then all rules belonging to interface groups, and finally all interface rules.

Internal (automatic) rules are usually the first to be registered.

OPNsense firewall rule process order

Figure 2. OPNsense firewall rule process order

Rules can be set to quick or not, with quick being the default setting. When the rule is set to quick, it is handled on a �first match� basis, which means that the first rule that matches the packet takes precedence over rules that follow in sequence.

When the quick isn't set, the last match wins. This is useful for rules that define expected behavior. For example, the default deny rule of the OPNsense makes use of this property (if no rule applies, drop traffic).

Because firewall rules are processed from top to bottom of the rule list, the order of the rules in the list is important. No subsequent rules are processed when the network packet matches any rule, whether it is a allow or block or reject rule. The first match wins, and all subsequent rules are ignored.

When defining the firewall rules, it's a good idea to put the most specific rules at the top of the list and the most general rules at the bottom. For example, all devices in a LAN are generally allowed surfing on the Internet and the first rule may allow LAN devices access to HTTP(s) service port on the Internet.

The more specific network traffic is allowed or denied first, while network traffic that does not match any of the specific rules is handled by the latest rule. The latest rule may be either deny all or allow all rule which may block or allow all other unspecified network traffic.

Direction#

Traffic can be matched in either the in[coming] or out[going] direction; OPNsense default is to filter in the in[coming] direction. In that case, you would configure the policy on the interface from which the traffic originates.

OPNsense firewall rule direction

Figure 3. OPNsense firewall rule direction

For instance, if you want to allow HTTPS traffic from any host on the internet, you would typically configure a policy on the WAN interface that allows port 443 to the host in question.

Settings#

Descriptive settings aid in the identification of rules while having no effect on traffic flow. Using descriptive names makes it easier to identify traffic in the live log view.

SettingsDescription
CategoryThe category this rule belongs to can be used as a filter in the overview
DescriptionDescriptive text

The following are the most commonly used Basic settings:

SettingsDescription
ActionThe action to perform, allow, block, or reject.
DisabledDisabling a rule without removing it can be useful for testing and making it easier to enable less frequently used policies.
InterfaceThis rule applies to the interface[s]. This field can be easily copied between interfaces and changed to the new target interface.
TCP/IP VersionThis rule is applicable to IPv4, IPv6, or both.
ProtocolTCP and UDP are the most commonly used protocols.
SourceSource network or address. When combining IPv4 and IPv6 in a single rule, you can use aliases that contain both address families as the source network or address.
Source / InvertInvert source selection (for example, not 172.16.0.0/24)
DestinationDestination network or address. Similar to the source you can use aliases here as well.
Destination / InvertWhen the filter should be inverted, you can mark this checkbox.
Destination port rangeYou can select a TCP and/or UDP service by name (HTTP, HTTPS) or number (range). You can also use aliases here to simplify management.
LogWhen this rule applies, make a log entry. You can use Firewall > Log Files > Live View to monitor if your rule applies.

Aliases#

Aliases are especially helpful for condensing firewall rules and minimizing changes.

Aliases are the named lists of hosts, networks, or ports. By selecting the alias name multiple networks, hosts or ports can be used as a single entity in the firewall configuration.

On OPNsense firewall, there are predefined aliases such as SSH, HTTP, HTTPS, LAN net, LAN interface, etc.

Using predefined aliases is not only practical, but they also aid in the comprehension of firewall rules. The benefits of aliases on the OPNsense firewall are as follows:

  • Rules that are easier to read, understand, and maintain can be written.
  • Because a single alias contains multiple items, the overall number of rules you need to write is reduced. An effective aliases definition aids in the consolidation of multiple rules into a single rule.
  • The fewer firewall rules, the higher firewall performance.

In summary, the use of aliases is critical for reducing complexity and the number of rules that must be created.

To add, modify or remove an alias on the OPNsense firewall, navigate to the Firewall -> Aliases on web GUI.

You don't need to go to the Aliases pages to view the alias content in a rule. When viewing a firewall rule for an interface, hovering the mouse over the alias will display a tooltip. The contents of the alias, as well as the description, will be displayed in the tooltip.

Alias Types#

The following alias types are available in OPNsense:

TypeDescription
HostsSingle hosts by IP or Fully Qualified Domain Name or host exclusions (starts with "!" sign)
NetworksEntire network p.e. 192.168.1.1/24 or network exclusion eg !192.168.1.0/24
PortsPort numbers or a port range like 20:30
MAC addressesMAC address or partial mac addresses like f4:90:ea
URL (IPs)A table of IP addresses that are fetched once
URL Tables (IPs)A table of IP addresses that are fetched at regular intervals.
GeoIPSelect countries or whole regions
Network groupCombine different network type aliases into one
External (advanced)Externally managed alias, this only handles the placeholder. Content is set from another source (plugin, API call, etc)

Hosts Hosts can be specified as a single IP address, a range (separated by a minus sign, for example, 10.0.0.1-10.0.0.10), or a fully qualified domain name. Hosts type aliases can be used for host exclusion. To exclude hosts from Network Group Aliases, you can define a host alias that begins with "!" sign (eg !172.16.0.1).|

In a host alias, you can enter multiple values of any combination of IP addresses, hostnames, and FQDNs separated by commas, such as:

youtube.com, 172.168.1.1, 192.168.10.1, web_server.

Valid host alias examples are listed below:

IPv4 address: 172.16.1.10 or !172.16.1.10 (IPv6 addresses are allowed too)

IP address range: 172.16.1.10-172.16.1.15

Local hostname (no domain name): dbserver or !dbserver

Fully qualified domain name (FQDN): youtube.com or !youtube.com

Networks

Classless Inter-Domain Routing is used to specify network aliases (CIDR).

A /32 specifies a single IPv4 host, a /128 specifies a single IPv6 host, a /24 specifies 255.255.255.0, and a /64 specifies a standard IPv6 network.

Exclusion hosts or networks can be included in network type aliases. Exclusion addresses begin with a "!" sign (for example,!172.16.0.0/24) and are used to exclude hosts or networks from current Alias or Network Group Alias.

Aside from the CIDR notation, a wildcard mask could be used to match host or network ranges.

tip

To match all routers ending at .1 in the 172.16.X.1 networks, use a wildcard definition like 172.16.0.1/0.0.255.0

Ports

Ports can be specified as a single number or as a range of numbers separated by a colon (:).

For example, to add a range of 20 to 25, enter 20:25 in the Port(s) section.

You may enter a number between 0 and 65,535.

You can enter multiple ports as well as port ranges, such as:

21, 8000:8080

MAC addresses

MAC addresses or partial mac addresses can be specified as MAC addresses aliases. For example, to match all addresses from Deciso, you can define an alias for F4:90:EA.

URL tables

URL tables can be used to retrieve an IP address list from a remote server. There are several free IP lists available, the most notable of which are Spamhaus' "Don't Route Or Peer" lists.

GeoIP

With GeoIP alias, you can block or allow one or more countries or entire continents. Toggle the all checkbox to select all countries within the specified region.

To use GeoIP, you should configure a source in the Firewall Aliases -> GeoIP settings tab the most commonly used source is MaxMind. To obtain the GeoIP address ranges required to fully configure the GeoIP alias, you must sign up for MaxMind's GeoIP service.

Network Group

Network Group alias combines multiple network type aliases into one. It accepts additional host type aliases (networks, hosts, etc.). Although nesting is possible with other alias types, this type only displays valid aliases to simplify administration. A Networks type alias can do the same thing but using a different presentation. The main advantage of using a Network Group alias is that it prevents you from grouping incompatible aliases together.

External

The contents of external alias types are not managed by OPNsense standard alias service. They are very useful to push new entries from external programs. Specific lockout features or external tools feeding access control to your firewall are examples.

In Firewall Diagnostics pfTables, you can always inspect the current contents of the external alias and immediately add or remove entries.

tip

Because OPNsense will not touch external alias types, you can use pfctl directly in scripts to manage their contents. (For example, pfctl -t MyAlias -T add 10.0.0.3 will add 10.0.0.3 to MyAlias.)

Nesting Aliases

Aliases can be nestled inside aliases for all alias types. If you want to group several aliases together, this may be useful.

For example, if you have aliases for "webserver" and "emailserver," you could create a third alias called "dmzservers" that includes both "webserver" and "emailserver". This allows you to use the "webserver" and "emailserver" aliases in their own specific firewall rules while also having broader firewall rules that apply to both servers.

How to Configure Firewall Rules in OPNsense?#

In this section, we will go over the fundamentals of OPNsense firewall configuration and walk you through the process of configuring a firewall rule step by step. To configure your OPNsense firewall, you may perform the following task.

  • Define an alias
  • Create a firewall rule
  • Select a firewall rule
  • Move a firewall rule
  • Delete a firewall rule
  • Enable/Disable a firewall rule
  • Edit a firewall rule
  • Clone a firewall rule
  • Enable/Disable logging for a firewall rule

1. The Use of Aliases in pf Firewall Rules#

Aliases can be used in firewall rules to make it easier to manage large lists. For example, we may require a list of remote IP addresses that should have access to specific services; if anything changes, we simply update the list.

info

The list icon identifies a rule with an alias on OPNsense Web UI.

Let's make a simple alias that will allow three remote IP addresses to connect to an IPSec server for a site-to-site VPN tunnel connection. Alias name will be remote_ipsec. To define and update the related firewall rule this alias will be used.

  • 172.16.1.1
  • 172.16.2.2
  • 172.16.3.3

To create an alias on OPNsense firewall Web GUI, follow the next steps given below:

  1. Navigate to the Firewall -> `Aliases page. You will notice there are 4 pre-defined aliases in the list by default.

  2. Click on the "+" button at the right bottom of the pane

  3. Enter the Name of the alias.

  4. Select Host(s) in the Type dropdown menu.

  5. Enter the IP addresses separated by comma , in the Content field.

  6. Type a Description that will assist you in understanding the purpose or details of the alias

 Defining an alias on OPNsense firewall

Figure 4. Defining an alias on OPNsense firewall

  1. Click Save. The new alias is on the list now.

  2. Click the Apply button to apply the changes in order to use the alias in the firewall rules.

 Aliases list on OPNsense firewall

Figure 5. Aliases list on OPNsense firewall

2. Creating a Firewall Rule#

You can easily create a packet filtering firewall rule on OPNsense by following the steps given below.

  1. Navigate to the Firewall->Rules on OPNsense web GUI.
  2. Select the interface that you want to define a rule, such as WAN, LAN, VLAN10 or WireGuard, etc. This will list the existing firewall rules on the selected interface.

WAN interface firewall rules on OPNsense

Figure 6. WAN interface firewall rules on OPNsense

  1. Click the orange square with + icon at the top right corner of the rule list. This will redirect you to the rule configuration page.
  2. Select Pass to allow a connection or select Block or Reject to deny a connection for the Action option.
  3. Set the Source either by entering a single host/network or selecting one of the existing aliases.
  4. Specify the source port or port range. Usually, it is left as any by default.

Creating firewall rule on OPNsense-1

Figure 7. Creating a firewall rule on OPNsense-1

  1. Set the Destination either by entering a single host/network or selecting one of the existing aliases.
  2. Specify the destination port or port range.
  3. You may enable logging.
  4. You may enter or select a category to group firewall rules.
  5. You should also to enter a description for the rule which may be useful for rule maintenance.
  6. You may leave other fields as default or set them properly as you wish.
  7. Click the Save button to save the rule. This will take you to the interface rule list.

Creating firewall rule on OPNsense-2 (Allows admin IP establish ssh connection to the firewall)

Figure 8. Creating firewall rule on OPNsense-2 (Allows admin IP establish an SSH connection to the firewall)

  1. Click Apply button to apply the changes and activate the newly created rule.

Applying the changes and activate the  newly created rule

Figure 9. Applying the changes and activate the newly created rule

3. Selecting Firewall Rules#

To perform a task, such as enabling, disabling, deleting, or moving, etc, on some of the firewall rules on an interface, you may select them by clicking on the checkbox icon at the first column of the rule list. You can also select all rules by clicking on the checkbox icon header bar of the list.

Selecting firewall rules on OPNsense firewall

Figure 10. Selecting firewall rules on OPNsense firewall

  1. Moving a Firewall Rule

To block or allow network traffic, you may need to reorder the firewall rules on the list.

To move some of the rules at the end of the list,

  1. Select the rules that you want to move to the bottom of the list.
  2. Click on the left arrow icon on the header bar of the list.
  3. Click on the Apply Changes button to activate the new rule order setting.

Moving selected rule to the bottom of the rule list

Figure 11. Moving selected rule to the bottom of the rule list

To move some of the rules before a specific rule,

  1. Select the rules that you want to move.
  2. Click on the left arrow icon on the rule that you want to move the selected rule before.
  3. Click on the Apply Changes button to activate the new rule order setting.

For example, to move the last rule to the top in the next figure given below, click the left arrow icon of the first rule after selecting the last rule.

Moving selected rule to a specific position in the rule list

Figure 12. Moving selected rule(s) to a specific position in the rule list

4. Deleting Firewall Rules#

You may delete firewall rules either by clicking on the trash icon on the header bar of the rule list after selecting the rules that you wish to remove or by clicking on the trash icon at the end of the related rule. Lastly, Click on the Apply Changes button to activate the new rule settings.

Deleting multiple firewall rules

Figure 13. Deleting multiple firewall rules

Deleting a specific firewall rule

Figure 14. Deleting a specific firewall rule

5. Enabling Firewall Rules#

To enable some of the disabled firewall rules, click on the square box with a check icon on the header bar of the rule list after selecting the rules that you wish to enable.

Enabling multiple firewall rules

Figure 15. Enabling multiple firewall rules

Also, to enable a specific firewall rule, click on the action icon with solid grey color at the beginning of the related rule.

Disabling a specific firewall rule

Figure 16. Disabling a specific firewall rule

Lastly, Click on the Apply Changes button to activate the new rule settings.

6. Disabling Firewall Rules#

To disable some of the disabled firewall rules, click on the empty square box icon on the header bar of the rule list after selecting the rules that you wish to enable.

 Disabling multiple firewall rules

Figure 17. Disabling multiple firewall rules

Also, to disable a specific firewall rule, click on the action icon with green or red color at the beginning of the related rule.

 Disabling a specific firewall rule

Figure 18. Disabling a specific firewall rule

Lastly, Click on the Apply Changes button to activate the new rule settings.

7. Enabling/Disabling logging for a Firewall Rule#

To enable logging for a firewall rule, click on the solid grey circle with i icon on the rule. This will turn the grey color to the blue. And then Click on the Apply Changes button to enable the logging for the rule

Enabling logging for a firewall rule

Figure 19. Enabling logging for a firewall rule

To disable logging for a firewall rule, click on the blue circle with the i icon on the rule. This will turn the blue color to grey. And then click on the Apply Changes button to enable the logging for the rule.

Disabling logging for a firewall rule

Figure 20. Disabling logging for a firewall rule

8. Editing Firewall Rules#

To edit a firewall rule, click on the pencil icon on the actions column of the rule that you wish to edit. This will redirect you to the firewall rule editing page. After making the changes to the rule settings, click the Save button at the bottom of the page.

Lastly, Click on the Apply Changes button to activate the new rule settings.

Editing a firewall rule

Figure 21. Editing a firewall rule

9. Cloning a Firewall Rules#

Sometimes you may need to define very similar firewall rules with only a few different options, such as destination or interface. In such cases, cloning a rule is a very useful feature of the OPNsense.

To clone a firewall rule, click on the clone icon with two cascaded squares. This will redirect you to the firewall rule editing page. After making the changes to the rule settings, click the Save button at the bottom of the page. Your new rule is created now.

Lastly, Click on the Apply Changes button to activate the new rule on the firewall.

Cloning a firewall rule

Figure 22. Cloning a firewall rule

OPNsense Firewall Rules Examples#

Some common firewall rules examples which might be very useful for home users and small businesses to get their firewalls ready are given below.

1. Allowing Only Specific DNS Servers#

One of the firewall rules you should define for preventing cyber threats is to block your LAN devices accessing the DNS servers except for your own DNS servers or specific external DNS that offer content filtering/blocking. These rules keep clients from going rogue and circumventing the filtering/blocking policies you've put in place for your LAN or home network.

To restrict the DNS service in your network for increasing the cybersecurity, you may follow the next two main steps:

  1. Define a rule to Allow the internal DNS server(s), by following the instructions below.
OptionValue
ActionPass
ProtocolTCP/UDP
Sourceany
Source Portany
DestinationLAN address
Destination PortDNS (53)
DescriptionAllow internal DNS
  • Select Pass for the allow rule.
  • Select TCP/UDP for the Protocol.
  • Select the source address and source port of any. This captures all traffic on the LAN interface bound for the specified destination.
  • You may choose the LAN address of the OPNsense as the destination address. Or, enter the IP address of your own DNS server on LAN.
  • Select DNS predefined port alias for the destination port.

 Allow Internal DNS firewall rule

Figure 23. Allow Internal DNS firewall rule

Because the DNS service is advertised on each interface's IP address, the LAN address is used as the destination. The IP address of the interface is also used as the gateway address for devices on that network. When you look at the DHCP information for each device, you'll notice that the LAN address serves as both the gateway server and the DNS server.

Depending on your network configuration, the DNS IP address may differ from the gateway IP address. However, for this example, it is assumed that we're using the DNS server configuration in OPNsense.

  1. Define the rule to deny the external DNS server(s), by following the instructions below.
OptionValue
ActionBlock
ProtocolTCP/UDP
Sourceany
Source Portany
Destinationany
Destination PortDNS (53)
DescriptionBlock external DNS
  • Select "Block" for the deny rule.
  • Select TCP/UDP for the Protocol.
  • The source address and port on the LAN network must be configured to any device.
  • The destination must be any for that block rule since we want to block attempts to use any other DNS server.
  • Choose destination port DNS.

Block external DNS server rule

Figure 24. Block external DNS server rule

Recall that any attempt to contact the specified DNS server in the above allow rule is successful because of the rule order processing and rule treatment for that request ceases. However, if a device attempts to access a DNS external server, the block rule will be reached as it does not pass the allow rule which prohibits that server access.

The first rule permits access to your local DNS server whilst the second rule blocks access to all other DNS servers irrespective of whether local or remote. You may need to move these rules to the top of your rule list. Don�t forget to click on the Apply Changes button to activate the newly created DNS rules.

Internal and external DNS firewall rules on the list

Figure 25. Internal and external DNS firewall rules on the list

2. Allowing Local Services between different Network Segments(VLANs)#

As a rule of thumb, you should isolate critical servers from client devices by implementing network segmentation in your infrastructure. OPNsense firewall allows you to build internal zones separating functional areas so as to minimize attack surfaces and prevent threats from propagating beyond the zone.

For example, human resources (HR) database servers should only be accessible by HR department staff computers in a company network. To define the required OPNsense firewall rules, you may follow the next steps given below.

OptionValue
ActionPass
ProtocolTCP
SourceHR_PCs
Source Portany
DestinationHR_DBserver
Destination PortMySQL
DescriptionAllow access to HR Database Server
  • Define an Hosts alias, such as HR_PCs, for the HR client devices(such as 10.10.10.11-10.10.10.20).

Defining an alias for Human Resources PCs

Figure 26. Defining an alias for Human Resources PCs

  • Define a Hosts alias, such as HR_DBserver, for the HR Database Server(such as 172.16.10.20)

Defining an alias for Human Resources Database Server

Figure 27. Defining an alias for Human Resources Database Server

  • Define a Port alias, such as MySQL, for the HR Database Server MySQL service(the default port for MySQL)

Defining an alias for MySQL default service port(3306/TCP)

Figure 28. Defining an alias for MySQL default service port(3306/TCP)

  • Navigate to the interface in which the HR client device resides, such as LAN, on the Firewall Rules. Then we need to allow access to port 3306.
  • Select Pass for the allow rule.
  • Set the HR_PCs as the source.
  • Set TCP as the Protocol
  • Set HR_DBserver on the destination
  • Set MySQL as the destination port range.

Defining HR Database server access rule

Figure 29. Defining HR Database server access rule

This rule provides network access from your HR staff PCs to the HR Database server. There should be either Deny all rule at the end of the list or another deny rule for preventing other devices� access to the HR DB server. Don�t forget to apply changes to activate the rules.

HR Database server access rule

Figure 30. HR Database server access rule

It is recommended to create a DMZ network that grants external sources restricted access to publicly available information while protecting the internal networks from outside attacks. As a second example, we will allow internal clients to access the webserver located in the DMZ network.

OptionValue
ActionPass
ProtocolTCP
SourceLAN net
Source Portany
DestinationWeb_server
Destination PortHTTPS
DescriptionAllow access to Web Server
  • Define a Hosts alias, such as Web_server, for the Web server location in DMZ(such as 172.17.1.20).

Defining a alias for Web Server on DMZ network

Figure 31. Defining an alias for a Web Server on the DMZ network

  • Navigate to the LAN interface. Then we need to allow access to HTTPS port 443.
  • Select Pass for allow rule.
  • Set the LANnet as the source.
  • Set Web_server on the destination
  • Set HTTPS as the destination port.

Defining DMZ Web Server access rule

Figure 32. Defining DMZ Web Server access rule

Allow DMZ Web Server access rule

Figure 33. Allow DMZ Web Server access rule

4. Block Access to Other VLANs#

It is advised to block any unnecessary service access between internal networks(VLANs). By default, traffics between different VLANs is not allowed unless there is a allow all rule at the bottom of the firewall rule list.

However, home users may generally want a allow all rule to allow all traffic that is not specifically forbidden. Therefore, they should define a specific rule to block connections between the VLANs in their home networks. Otherwise, any device on a network can communicate with any other device on other VLANs which means that all advantages of the network segmentation are lost.

To define the required OPNsense firewall rule, you may follow the next steps given below.

  • Create an alias, such as Private_IP_Ranges for all private IP address ranges by navigating to the Firewall -> Aliases.

Defining an alias for Private IP ranges

Figure 34. Defining an alias for Private IP ranges

OptionValue
ActionBlock
Protocolany
SourceLAN net
Source Portany
DestinationPrivate_IP_Ranges
Destination Portany
DescriptionBlock access to all other private networks
  • Select "Block" for the deny rule.
  • The source address and port on the LAN network must be configured to any device.
  • The destination must be PrivateNetworks for that block rule since we want to block attempts to use any other internal networks.
  • Choose destination port any.

 Deny accessing other internal networks

Figure 35. Deny accessing other internal networks

5. Allowing All Traffic#

At the bottom of the OPNsense firewall rule list, there is an implicit deny all rule by default. Therefore, firewall administrators define a rule for each of the required services to allow access. However, it may be cumbersome to identify the ports for all services and define the rule properly especially for home users. Though it is not advisable for company networks, home users may prefer to define the block rules at the beginning of the firewall rules first and then allow all traffic. Since, they may not have enough technical knowledge or time to troubleshoot the blocking connections when their kids or wifes using their smart devices, play stations, or laptops.

Allow all rules

Figure 36. Allow all rules

6. Allowing unrestricted access for administrator#

In case of any IT service outage, the administrator should access any device from his/her PC or a server that he can physically access for quick troubleshooting. Therefore, it is a suitable approach to defining a rule which allows unrestricted access for an administrator at the top of the rule list before the block rules.

To define the required OPNsense firewall rule, you may follow the next steps given below.

  • Create an alias, such as admins for all administrator devices/servers by navigating to the Firewall -> Aliases.

Defining an alias for admin devices

Figure 37. Defining an alias for admin devices

OptionValue
ActionPass
InterfaceVLAN10
Protocolany
Sourceadmins
Source Portany
Destinationany
Destination Portany
DescriptionAllow admin devices access to anywhere without any restriction
  • Navigate to the interface in which the admin devices reside, such as VLAN10, on the Firewall Rules. Then we need to allow access to anywhere.
  • Select Pass for the allow rule.
  • Select admins as Source.
  • Select any as Source port, destination and destination port range.

Allow admin devices access without any restriction

Figure 38. Allow admin devices access without any restriction

7. Blocking All Devices in LAN from accessing a malicious IP on Internet#

Sometimes you may notice that there is a cyber threat that comes from a malicious IP, such as a phishing server, on the Internet. To block all clients and servers in your internal network from reaching the harmful IP address on the Internet, you may define a specific block rule at the top of the rule list before the allow rules. You may also put all suspicious IPs you detected in a Hosts alias, such as Harmful-IPs.

  • Create an alias, such as admins for all administrator devices/servers by navigating to the Firewall -> Aliases.
  • Navigate to the LAN interface on the Firewall Rules.
  • Select Block for the deny rule.
  • Select any as the Source.
  • Select any as Source port.
  • Select Harmful_IPs as destination
  • Select any as the destination port range.
OptionValue
ActionBlock
InterfaceLAN
Protocolany
SourceLAN net
Source Portany
DestinationHarmful_IPs
Destination Portany
DescriptionBlock access to the harmful hosts/servers on the Internet

Defining a rule to Deny access to the harmful IPs on the Internet

Figure 39. Defining a rule to Deny access to the harmful IPs on the Internet

8. Allowing ICMP messages for troubleshooting#

If you use the deny all rule at the of the firewall rule list, any of the devices cannot ping anywhere in other networks. However, for troubleshooting or monitoring purposes you may need to allow ICMP messages for a specific PC or server. To accomplish this, you may define the following allow rules and alias, such as Monitoring-servers.

OptionValue
ActionPass
InterfaceLAN
ProtocolICMP
ICMP typeany
SourceMonitoring_Servers
Source Portany
Destinationany
DescriptionAllow ICMP echo request messages
  • Create an alias, such as Monitoring_Servers for monitoring servers by navigating to the Firewall -> Aliases.
  • Navigate to the interface where monitoring servers reside on the Firewall Rules.
  • Select Pass for the allow rule.
  • Select Monitoring_Servers as the source.
  • Select ICMP as protocol.
  • Select any as type.
  • Select any as the destination.
  • Select any as the destination port range.

Allowing Monitoring servers for ICMP access

Figure 40. Allowing Monitoring servers for ICMP access

9. Allowing WireGuard/OpenVPN VPN Server access from the Internet#

You may have a WireGuard or OpenVPN VPN server to access the internal home/company network remotely. However, your WireGuard/OpenVPN VPN server should be accessible from the Internet. To allow access to the WireGuard/OpenVPN VPN service, you should define a firewall rule and may define an alias for the VPN service port, such as vpn_port.

info

OpenVPN server listen port is 1194 UDP by default.

WireGuard VPN server listen port is 51820 UDP by default.

OptionValue
ActionPass
InterfaceWAN
ProtocolUDP
Sourceany
Source Portany
DestinationWAN address
Destination Portvpn_port
DescriptionAllow remote access to OpenVPN/WireGuard VPN
  • Create an alias, such as vpn_port for monitoring servers by navigating to the Firewall -> Aliases.
  • Navigate to the WAN interface on the Firewall Rules.
  • Select Pass for the allow rule.
  • Select UDP as the Protocol.
  • Select any as the source
  • Select any as the source port.
  • Select any as type.
  • Select WAN address as the destination.
  • Select vpn_port as the destination port range.

Defining firewall rule for VPN access

Figure 41. Defining firewall rule for VPN access

OpenVPN and WireGuard VPN server access rule

Figure 42. OpenVPN and WireGuard VPN server access rule

10. Allowing a Web Server access from the Internet#

You may have a web server publicly available from the Internet on your home/company network. To allow access to the web service, you should first define NAT port forwarding rules by navigating to Firewall > NAT > Port Forward page, and then define a packet filtering firewall rule.

OptionValue
ActionPass
InterfaceWAN
ProtocolTCP
Sourceany
Source Portany
DestinationWAN address
Destination PortHTTPS
Redirect target IP172.16.10.10
Redirect target portHTTPS
DescriptionAllow Internet access to the web server
Filter rule associationAdd associated filter rule (or Pass)
  • Navigate to the WAN interface on the Firewall Rules.
  • Select Pass for the allow rule.
  • Select TCP as the Protocol.
  • Select any as the source
  • Select any as the source port.
  • Select WAN address as the destination.
  • Enter Redirect target IP
  • Enter Redirect target port