From 473047d709f79335a79ed4a058446dc62b5ba5b7 Mon Sep 17 00:00:00 2001 From: Gitea Actions Date: Wed, 15 Oct 2025 20:42:40 +0000 Subject: [PATCH] Auto-update blog content from Obsidian: 2025-10-15 20:42:40 --- ...ation-opnsense-proxmox-highly-available.md | 53 ++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/content/post/13-migration-opnsense-proxmox-highly-available.md b/content/post/13-migration-opnsense-proxmox-highly-available.md index 21350ea..c28e8f4 100644 --- a/content/post/13-migration-opnsense-proxmox-highly-available.md +++ b/content/post/13-migration-opnsense-proxmox-highly-available.md @@ -180,4 +180,55 @@ To begin, in `Firewall` > `Groups`, I create 2 groups to regroup my interfaces: Next, in `Firewall` > `Aliases`, I create an alias `InternalNetworks` to regroup all my internal networks: ![opnsense-create-alias-internalnetworks.png](img/opnsense-create-alias-internalnetworks.png) -Now to deny access to the internal networks from my untrusted netowrks. In `Firewall` > `Rules` > `Untrusted`, let's create the first rule \ No newline at end of file +For all my networks, I want to allow DNS querry on the local DNS. In `Firewall` > `Rules` > `Floating`, let's create the first rule: + +| Field | Value | +| -------------------------- | ------------------------------------- | +| **Action** | Pass | +| **Quick** | Apply the action immediately on match | +| **Interface** | Trusted, Untrusted | +| **Direction** | in | +| **TCP/IP Version** | IPv4 | +| **Protocol** | TCP/UDP | +| **Source** | InternalNetworks | +| **Destination** | This Firewall | +| **Destination port range** | from: DNS - to: DNS | +| **Log** | Log packets | +| **Category** | DNS | +| **Description** | DNS | + +Next I want to allow connections towards the internet. At the same place I create a second rule: + +| Field | Value | +| -------------------------- | ------------------------------------- | +| **Action** | Pass | +| **Quick** | Apply the action immediately on match | +| **Interface** | Trusted, Untrusted | +| **Direction** | in | +| **TCP/IP Version** | IPv4+IPv6 | +| **Protocol** | any | +| **Source** | InternalNetworks | +| **Destination / Invert** | Invert the sense of the match | +| **Destination** | InternalNetworks | +| **Destination port range** | from: any - to: any | +| **Log** | Log packets | +| **Category** | Internet | +| **Description** | Internet | + +Finally, I want to allow anything from my trusted networks. In `Firewall` > `Rules` > `Trusted`, I create the rule: + +| Field | Value | +| -------------------------- | ------------------------------------- | +| **Action** | Pass | +| **Quick** | Apply the action immediately on match | +| **Interface** | Trusted | +| **Direction** | in | +| **TCP/IP Version** | IPv4+IPv6 | +| **Protocol** | any | +| **Source** | Trusted net | +| **Destination** | any | +| **Destination port range** | from: any - to: any | +| **Log** | Log packets | +| **Category** | Trusted | +| **Description** | Trusted | +