Hi all,
Sorry for asking but I just can't seem to get this sorted. I have about 5 VLANs on my network. All working fine except I can't get the FW rules working as I want them to. So HELP!! Before I go nuts. Here's the rule examples I'd need:
1) block traffic between VLANs
2) allow VLAN to a specific server
3) block VLAN to internet
Help!
Thanks heaps
Oliver
Sent from my ONEPLUS A6013 using Tapatalk
Hi Oliver,
if you have private networks on the vlans you could create an Alias for all RFC1918 networks and create a block rule on each interface.
Before or over that block rule you should add rules that are allowed to talk between that vlans or directly with the firewall interface (NTP and DNS for example)
After or bellow that block rule you can add rules like:
Allow: LAN 1 -> ANY : ANY
By that all traffic to your firewall or between VLANS is processed by your allow rules.
All other Traffic between your VLANs is blocked by the Block rule but only from RFC1918 networks.
Hope that helps.
For a detailed guide you can use the guest network howto as reference: https://docs.opnsense.org/manual/how-tos/guestnet.html
Regards,
Dominik
Thanks. Will give it a shot.
Hi,
So tried everything again and nothing works on any logic I can fathom. You can see my rules below. All Floating rules are automatic.
I so F'n HATE firewalls. I swear if I get this going I'll write a blog post for the lost.
Most of the time any traffic from VLAN90 hits anything it goes to the default deny rule. But oddly traffic and pings work but they don't show up in the Live log! I don't get it.
Cheers
oliver
Have you set the allow rules to logging?
If you think the rules are correct, try resetting the states, under Diagnostics.
Or use the inspect functionality to see if the rules are processed.
Yeah I have reset rules under Diagnostics. Did nothing. I generally check what works in the Live view. I'll try the inspect.
Traffic blocking between VLANs will work.
Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.
Re: The VLAN blocking from your last rule, I'm really not sure how that Destination you have defined would work out. The most direct way to do this is what an earlier poster noted: Create an alias for all RFC1918 networks, then create an explicit Deny rule: Use your last rule as a guide and use 'VLAN90 net' as the Source, and change the Destination to the RFC1918 alias.
That should block traffic from VLAN90 to other VLANs.
Quote from: Sirius1 on September 26, 2019, 01:58:03 AM
Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.
Don't think that is old-school, it is good style. I tend to specify all rules as explicit as possible. This helps with debugging.