3

I have created a schedule for internet access for a VM (10.0.64.43/27), the rule is implemented on a WAN interface but does not seem to be working. The internet access is to be allowed between 21:30 - 21:45 every Mon, Thu, and Sun yet the VM has internet access all the time.

Schedule - https://i.ibb.co/qm5FCMF/Schedules.png

WAN Rule - https://i.ibb.co/TgxLTY7/WAN-Rules.png

Rule Ineffective - https://i.ibb.co/QcBzVpD/Schedule-Failure.png

Could it be that NAT is being applied to the 10.0.64.0/27 network before packets reach the WAN and thus the rule is ineffective.

Any thoughts what might be wrong in this case.

UPDATE

I had a hard time understanding In and Out of the firewall in relation to Source and Destination.

Whatever I understood I implemented but only part of the scheduled rule is effective, the network 192.168.28.0 has a scheduled internet access and works fine. The network 10.0.64.0 does not seem to be effective.

The whole network with internet route for client VM - https://i.ibb.co/9gHG3y3/Dell-Network.png

Tracert from client (192.168.1.21 is the 1_dell interface and 192.168.47.2 is the NAT network in VMware Workstation) - https://i.ibb.co/PG8YKs5/W10-Tracert-Internet.png

Schedule - https://i.ibb.co/JFqL03v/Schedule.png

Server with No Internet as in Schedule - https://i.ibb.co/HVbMPcv/Server-No-Internet.png

Alias for RFC1918 networks - https://i.ibb.co/9HXZ7t0/RFC1918.png

Internet Rule for 10.0.64.32 /27 - https://i.ibb.co/9Wn5RQv/firewallwm-RFC1918.png

Internet still accessible - https://i.ibb.co/TB7jRhd/W10-Internet.png

WAN Rule - https://i.ibb.co/YN28rzs/firewallwm-WAN-Rule.png

Not sure if my rule is incorrect or its a glitch I'm failing to understand how to implement.

Huud Rych
  • 75
  • 2
  • 12
  • 1
    so the way I'm reading the documentation, the schedule rule will only match the traffic during that schedule, so during the unscheduled time, that rule is not evaluated at all, and the default allow is allowing the traffic. Add a block rule for the VM subnet after the schedule but before the default. that will allow all other IPs to use the default rule, and during the schedule window the VMs can use the scheduled rule, but the rest of the time, the block rule will apply to the VMs. – Frank Thomas Mar 12 '21 at 19:34
  • Thanks, could you advise where did you get to find out about how schedule rules are evaluated, I read https://docs.opnsense.org/manual/firewall.html and could not find much.. – Huud Rych Mar 12 '21 at 20:47
  • I looked at the doc you linked, and noticed that you could not set Allow/Deny behavior on the schedule. that means that the FW rule must control that. the schedule itself doesn;t impart any logic for "allow if during schedule, and block if not" or viceversa. Couple that with the text at the bottom of your rules screen, indicating that traffic will be processed by the rules that match it, rather than by a cascading of rules, and that implies that only the most specific rule matching the traffic will process, so the schedule is being used for match criteria, not behavior. the rule handles that. – Frank Thomas Mar 12 '21 at 21:38
  • Sorry I'm getting lost between schedule and allow/deny. Does this mean if a rule has schedule set in it, the schedule has no effect ?! – Huud Rych Mar 12 '21 at 21:45
  • no, it means that the schedule is used to match traffic to a rule. the rule does the allowing or denying. so if you have a schedule on a rule, and the traffic matches the rule, but it is not in the scheduled time, the rule does not match, so it won't do anything. when the current time is within the bounds of the schedule, the traffic will match the rule, and can apply the rules action. so lets say you had a rule that denies TCP\80 outbound from 9-10AM, and another rule after it that allows TCP\80. the first rule will process only if the current time is between 9 and 10 AM. – Frank Thomas Mar 12 '21 at 21:49
  • schedules just allow you to consider the current time when determining if a rule applies to a bit of traffic. so the schedule is just criteria like source/destination address or port, or protocol (TCP/UDP/ICMP). its just a way to describe the traffic you want to control with this rule, but based on what time it is on the router, rather than characteristics of the traffic itself. – Frank Thomas Mar 12 '21 at 21:50
  • @Huud Rych The schedule is used to tell **when** the rule is "enabled" (active). The traffic allowance or denial is defined by the rule itself. – Eduardo Bissi Mar 12 '21 at 21:57
  • Sorry getting a bit lost here. So I added a Block Rule and added a schedule to it. The schedule has a time of 21:30 to 21:45 Every Day. Can I know what this rule is suppose to do ? Block everyday except from 21:30 to 21:45 OR Block from 21:30 to 21:45 ? – Huud Rych Mar 12 '21 at 22:03
  • if its block rule, it will block from 21:30-21:45. the rule will be inactive any other time. That is why Eduardo suggested you invert the schedule to be all times EXCEPT 21:30-21:45. or you could use the schedule you have defined, change it to an Allow rule, but then you need to add a block rule, that blocks the traffic whenever the scheduled rule isn't allowing it. – Frank Thomas Mar 12 '21 at 22:28

2 Answers2

3

There is a default rule to "let out anything from firewall host itself" you can check at Floating firewall rules.

Your rule just tells to allow traffic at specific time interval. Also, you have configured it as "first match". The firewall works like this with your rule:

  1. Checks your condition to apply the rule (schedule, source, destination, and gateway in your case)
  2. If condition met, allow traffic and stop processing rules
  3. If condition not met, continue processing rules
  4. Eventually it will process the "let out anything from firewall host itself" allowing traffic

So your firewall will never block traffic only allow "again".

To solve this, change the schedule to have 2 intervals: 00:00 to 21:29 and 21:46 to 23:59. Also change the firewall rule action to block or reject.

This way there will be a rule to block traffic.

Eduardo Bissi
  • 301
  • 2
  • 4
2

So I'm adding an answer not to compete with Eduardo, who has answered this question nicely, but to explain the options with proper formatting.

so as we discussed, a rule with a schedule will only be active when the current time falls during the time the schedule defines. Schedules don't care about blocking or allowing.

Also, note that you have a Default Allow Rule, that allows all traffic (ALLOW From Any To Any on Any Port using Any Protocol at Any Time). If you want to change the way traffic is processed, you can only do so using a Block rule, and it has to be listed before the Default rule. No kind of Allow rule could change the way processing occurs, since everything is allowed. the end result will be identical, regardless of which rule processed the traffic.

There are two ways to do what you want.

This is what Eduardo suggested. Its a great approach, if you can put two timespans in a single schedule. Nice and clean.

Block From <VMSubnet> To Any on Any Port using Any Protocol at 00:00:00 - 21:29:59 or 21:45:00 - 23:59:59
ALLOW From Any To Any on Any Port using Any Protocol at Any Time
  • IF the traffic is coming from a non-VM IP it is Allowed (Default Rule)
  • IF the traffic is coming from a VM IP at 22:50 it is Blocked (Schedule Rule)
  • IF the traffic is coming from a VM IP at 21:35 it is Allowed (Default Rule)

The other approach, is to add a block rule, that blocks all traffic from the VMs all the time, and an allow rule that allows it during the scheduled window. In that case your schedule would just be 21:30-21:45.

Allow From <VMSubnet> To Any on Any Port using Any Protocol at 21:30:00 - 21:45:00    
Block From <VMSubnet> To Any on Any Port using Any Protocol at Any Time
ALLOW From Any To Any on Any Port using Any Protocol at Any Time
  • IF the traffic is coming from a non-VM IP it is Allowed (Default Rule)
  • IF the traffic is coming from a VM IP at 21:31 it is Allowed (Scheduled Rule)
  • IF the traffic is coming from a VM IP at 22:15 it is Blocked (Block Rule)

Hope that helps clear it up.

Frank Thomas
  • 35,097
  • 3
  • 77
  • 98