search

dmauser / opnazure

This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method
MIT License
156 stars 68 forks source link

Opnsense ignoring Firewall Rules and aliases and general quriks #58

Open MrCybertux opened 4 months ago

MrCybertux commented 4 months ago

Hi,

Sorry to say but the opnsense we were seting up did not work as expected in any sense. We wanted to setup a high availabilty setup for a customer witch needs a VPN to connect to his payment providers. We noticed the following problems:

On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI

Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active

We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined

So of three wanted functions Routing, Firewalling and VPN gateway only routing worked correctly i would say this project is still in beta and not production ready

Welasco commented 4 months ago

@MrCybertux, Let's see if I can address your questions here:

  1. On VPN you can't block acces to the WebGui even with a explicit forbinden rule we could still get to the GUI A: I need more information to understand what you have tried to do but it's totally possible to block access to the OPNSense Admin GUI using a firewall rule. By default we create a rule allowing access from the WAN Interface for people using it for Labs. For a production environment I would remove this rule and setup to only allow access from a possible management interface. You could create either a rule on each interface or a Floating rule to restrict the access.

  2. Aliases seem to work 50% of the time at some rules we had to use the ips behind the aliases because otherwise the rules would not be active A: If you mean Alias using URLs this is a OPNSense feature which try to resolve all the IPs for a give FQDN and cache it and dynamically use the IPs found from a DNS query in the desired rule. If the DNS is failing to resolve you might have problems with it. Reference: https://docs.opnsense.org/manual/aliases.html

  3. We tested the VPN setup and had 3 Test users online but OpenVPN only showed on connection from the user undefined A: If you are using Active-Active option you might have to check both firewalls. I never saw this condition.

For Active-Active scenario there are a bunch of limitations in OPNSense where it only syncs the Memory State Table from the Active Node to the Passive Node if a connect is initiated in the Passive Server the Active one will never be aware of it. It causes asymmetry in traffic. If you are considering OPNSense in a production environment with HA you should be using Active/Passive solution and come up with a solution to auto change the UDR in Azure in case of a outage in the Primary Server.

For production environment I would highly recommend the OPNSense official deployment option. Reference: https://docs.opnsense.org/manual/how-tos/installazure.html