Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: hushcoden on March 30, 2021, 09:33:54 PM

Title: How to isolate one port/subnet
Post by: hushcoden on March 30, 2021, 09:33:54 PM
I've got 2x LAN ports and 1x WAN port and I'd want to create firewall rules to 'isolate' LAN2 (which is on a differnet subnet than LAN1) in order to allow only Internet access and no access to LAN1, any advice, please?

Tia.
Title: Re: How to isolate one port/subnet
Post by: lfirewall1243 on March 30, 2021, 09:35:24 PM
Creat a fw rule on

LAN1 which is blocking the traffic to lan2

And on LAN2 which is blocking to lan1
Title: Re: How to isolate one port/subnet
Post by: hushcoden on March 31, 2021, 12:59:46 PM
Quote from: lfirewall1243 on March 30, 2021, 09:35:24 PM
Creat a fw rule on

And on LAN2 which is blocking to lan1
Just one rule like the attachment ?
Title: Re: How to isolate one port/subnet
Post by: Greelan on March 31, 2021, 01:12:33 PM
Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

This would replace any block rule from LAN2 net to LAN1 net, and any allow rule from LAN2 net to any

Result: anything from LAN2 net to internet is allowed (by above rule), and anything from LAN2 net to LAN1 net is blocked (by default deny rule)
Title: Re: How to isolate one port/subnet
Post by: hushcoden on March 31, 2021, 02:23:52 PM
Quote from: Greelan on March 31, 2021, 01:12:33 PM
Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

Sorry, what !LAN1 net means?
Title: How to isolate one port/subnet
Post by: Greelan on March 31, 2021, 02:26:17 PM
"Not LAN1 net". Put LAN1 net as destination, but check the invert destination box. So the rule will match if the destination is NOT LAN1 net
Title: Re: How to isolate one port/subnet
Post by: hushcoden on March 31, 2021, 02:39:14 PM
Ahh gotcha  ;D and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?
Title: Re: How to isolate one port/subnet
Post by: Greelan on March 31, 2021, 10:17:30 PM
As I said above, you don't need the last two. If you keep them, then all traffic from LAN2 net will continue to be able to reach LAN1 net
Title: Re: How to isolate one port/subnet
Post by: lfirewall1243 on April 01, 2021, 08:01:01 PM
Quote from: hushcoden on March 31, 2021, 02:39:14 PM
Ahh gotcha  ;D and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?
Yep delete the last 2
Title: Re: How to isolate one port/subnet
Post by: hushcoden on April 02, 2021, 10:58:18 PM
Thanks, but if I delete the last two, the PS4 won't connect to the Internet...  :o
Title: Re: How to isolate one port/subnet
Post by: Greelan on April 03, 2021, 03:01:41 AM
So the PS4 is in LAN2 net? Does it rely on any services in LAN net, such as a DNS server?
Title: Re: How to isolate one port/subnet
Post by: Greelan on April 03, 2021, 03:03:35 AM
I am assuming of course you weren't observing this while the PS4 blocking schedule was operating? [emoji23]
Title: Re: How to isolate one port/subnet
Post by: hushcoden on April 03, 2021, 01:17:04 PM
So, I fixed it by adding DNS servers manually on PS4  ;D
Title: Re: How to isolate one port/subnet
Post by: blackline on January 14, 2024, 10:18:53 AM
Why can't we just use the following rule:
PASS src GUEST_LAN dst !WAN

This way, if one ever adds a second or third LAN, I don't have to remember to add firewall rules.
Text only | Text with Images