Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: venomone on November 26, 2019, 09:49:33 AM

Title: How to separate subnets from each other
Post by: venomone on November 26, 2019, 09:49:33 AM
Hello,

i have 3 subnets lets call them:

1. 192.168.10.0/24
2. 192.168.20.0/24
3. 192.168.30.0/24

but currently all clients of all 3 subnets can talk with each other which should not be possibe.
is there a config setting for this or can i only accomplish that by a firewall rule?
clients should only be able to talk on there very own subnet.

Kind regards and thanks for reading
Title: Re: How to separate subnets from each other
Post by: hbc on November 26, 2019, 01:41:53 PM
Install three NICs and add each subnet to one NIC or define VLANs and buy an VLAN capable switch.

Then create an alias e.g. named Net_RFC1918 with content:

Then add to each subnet this rule on top:
Code Select

Protocol Source Port Destination Port Gateway Schedule Description
IPv4+6 * * * Net_RFC1918 * * * Block RFC1918 traffic as destination

Now subnets cannot talk to each other (and future private subnets), except you add an exception above this rule. Rules to public IP addresses in existing rulesets won't be affected.
Title: Re: How to separate subnets from each other
Post by: venomone on November 26, 2019, 02:43:21 PM
Hello,

thx for your quick answere but for now this has changed nothing so far for me.
Title: Re: How to separate subnets from each other
Post by: chemlud on November 26, 2019, 03:05:16 PM
Let's do it the easy way:

You have three interfaces for your 3 subnets. Let's call them LAN, OPT1 and OPT2.

If LAN is  192.168.10.0/24 then put on top of the firewall rules for this interface (ABOVE the allow any any rule)

Block ipv4 source: any port: any destination: 192.168.20.0/24 port:any

and

Block ipv4 source: any port: any destination: 192.168.30.0/24 port:any

After applying the change, you should no longer be able to reach the .20.0 and .30.0 nets from LAN.

Then create comparable rules on the OPT1 and OPT2 firewall rule tabs...
Title: Re: How to separate subnets from each other
Post by: hbc on November 26, 2019, 03:10:34 PM
Quote from: venomone on November 26, 2019, 02:43:21 PM
Hello,

thx for your quick answere but for now this has changed nothing so far for me.

Did you add it as BLOCK/REJECT rule?
Title: Re: How to separate subnets from each other
Post by: venomone on November 26, 2019, 03:24:04 PM
Yes i did.
Title: Re: How to separate subnets from each other
Post by: venomone on November 26, 2019, 03:29:59 PM
Okay, got it working, my mistake was the rule sequence. i moved up the rule and the magic starts to happen
Title: Re: How to separate subnets from each other
Post by: venomone on November 26, 2019, 03:34:47 PM
But what i still dont understand is that now all the traffic is blocked also within the same subnet. i want that each client from each subnet can talk to eachother and reach the internet trough the gateway/router.
Title: Re: How to separate subnets from each other
Post by: venomone on November 26, 2019, 03:41:12 PM
Okay i already got, that @ all for your help
Text only | Text with Images