Having a strange issue where it seems like firewall rules are being ignored.
As an example, I have a VLAN that has my retro computers on it. For that VLAN, I have disabled the default allow all inbound and outbound rules, but computers on my house VLAN can still contact the retro computers when they are running. I also tried putting in a block rule from my home computer (on my home vlan) to anything in the retro VLAN, but I can still contact the machines.
I dont know what I am missing here, so hoping someone may have some advice.
The one thing that is still in place is the default Allow LAN to any rule for the NIC that these two VLANs (and others) connect to. Is that rule my issue? I thought by creating the Virtual Networks, those rules would trump anything on the main LAN rules. Perhaps I am wrong?
Thanks for the assistance.
Most likely the problem is in your VLAN switch...
Cisco Switch looks fine. Setup the way it has been. Ports assigned to proper VLANs and trunked properly.
This was working fine and then stopped. Nothing on either of my switches has changed.
What else on the switch could be the issue? They are fully managed Cisco switches
You have a rule to block access from LAN to retro LAN? Show rules on both LAN and retro LAN...
As the traffic originates from LAN, the valid rules should be on the LAN, but if you mess around with outbound and inbound rules ymmv.
I had these rules set in each VLAN previously and they were working. I didnt allow anything in or out of my retro VLAN so the machines could only talk to each other.
I dont have a specific block rule as it states anything that isnt specified allowed is blocked by default.
I have the default VLAN rules for the retro VLAN disabled (so any in and any out is disabled). The LAN that the VLAN and other VLANs are on still has the default Allow rule, but the specific VLAN rules should supercede the overall LAN rule I'd think. Otherwise, why even have rules for the VLANs?
I dont want to disable the default allow rule for the LAN or nothing will work.
Quote from: Smack2k on May 15, 2021, 05:15:55 PM
...
I dont want to disable the default allow rule for the LAN or nothing will work.
If you allow anything, then everything will be allowled oO
Are you saying the default allow LAN rule trumps all the rules you set in individual VLANs?
That doesnt seem right.
It doesn't "trump" it as such, it is just behaving as you have set it up. You are telling OPNsense to allow anything coming from the LAN network to access anything else - so that is what it is doing.
The way OPNsense works is that it generally applies rules on traffic coming in on an interface. If that is allowed to the relevant destination, then the firewall just sends it out the outgoing interface (using the "allow anything out of firewall host itself" floating rule)
OK,
If I disable that nothing would be able to get out, even if I have it allowed from the VLANs correct?
So what are my options
This is the rule I am talking about (attached)
If that is disabled or not allowed, nothing coming from that NIC would get out. If that is the case, what is the point of the VLANs? This was working fine for a long time the way I had it setup. I never touched the LAN rule and made all the firewall rules from the VLAN Interfaces.
Don't disable the default rules, just place a block rule above them that blocks LAN net going to VLAN net. Simples...
Forgive my ignorance here, but what is the point of having individual VLAN rules to decide what is and isnt allowed in / out if you just block things from the LAN rule? The VLANs are all created off the LAN NIC.
Well, like with the LAN rules, you would use the VLAN rules to regulate traffic coming from VLAN net
Phew, I'm not going mad, and I'm not the only person with this problem.
I too have created multiple VLANs they're on separate network interfaces for example I wanted placed my ipmi's into a VLAN which I called IPMI with a Vlan ID of 10 assigned dhcp to them on a completely different range (192.168.10.0/24) to my LAN(192.168.1.0/24) the ipmi's all have their IP's (lovely) The problem is my LAN can access them and I have not allowed that! I thought VLANs were completely cut off from other networks until you explicitly allowed them to access something, I thought it was always off by default.
No matter, thought I, i'll create a firewall rule blocking my LAN from accessing it, but low it doesn't, I have tried creating to prevent traffic leaving my LAN bound for my IPMI VLAN, I've tried creating a rule on the IPMI VLAN preventing all traffic from the LAN reaching it, in both cases the LAN has access. So the question is why are VLAN's not isolated?
I'm working from a clean fresh installation with the default firewall rules installed. I'm using OPNSense 21.1.5
Quote from: Greelan on May 16, 2021, 11:46:05 AM
Well, like with the LAN rules, you would use the VLAN rules to regulate traffic coming from VLAN net
Thats where my rules are....in each VLAN.
There are several VLANs setup that are all coming from the same LAN interface. The VLAN rules are there for each VLAN. I've even disabled the allow all in and allow all out for one of them as a test. But I can still access machines in that VLAN from a machine in a different VLAN. Same goes for the other VLANs, everything can access everything even though I have specific rules set for each VLAN. The fact that I disabled the allow all in and out from the one VLAN should mean nothing can get to those machines, yet I still can.
The LAN that the VLANs are created from has the allow all rule from the attachment in an earlier post. But that has been that way for a long time. Its just all of the sudden the firewall rules arent doing anything, whether enabled or disabled.
I think you are both confused by the concept of traffic direction in the fw rules. Have a look at the help text for "Direction" in the fw rules, and the OPNsense docs. You need to look at all rules from the perspective of OPNsense itself.
Unless specifically allowed, everything is blocked coming into an interface on OPNsense. So everything from the internet is blocked coming into the WAN interface; everything from LAN net is blocked coming into the LAN interface; everything from VLAN1 net is blocked coming into the VLAN1 interface.
Obviously there are some default exceptions for DHCP and ICMP. And there is the default LAN "allow any" rule, that allows anything coming from LAN net into the LAN interface to go anywhere (to any other internal subnets, and to the internet).
If you create a VLAN and want to block traffic going to the VLAN hosts, you can either:
- create an IN rule on the interfaces that you want to block traffic from (such as the LAN interface, or a floating rule that applies to multiple interfaces); or
- create an OUT rule on the VLAN interface that you want to block traffic to
OPNsense's default approach is to apply rules IN on an interface. This is the most efficient from a packet processing perspective (packets are dealt with when first seen by OPNsense), and also means that complications don't arise if source NAT is applicable.
TLDR - Are you saying I need to put a block rule on the parent LAN interface and then individual allow rules for each VLAN on the parent interface? Then I can use the individual VLAN rules from there?
I'm not sure what I am missing here, but what you are saying needs done is what I have done.
For one of my VLANs (the one I have used in my previous posts), I have removed the allow all IN and allow all OUT rules (see attached). I havent touched the LAN interface rules and havent in past. All of my VLANs are created off of that parent LAN interface. I had these rules setup for a while and at no point did I ever have anything in my VLAN rules blocking the LAN interface itself. I had rules to only allow certain other IP addresses to access machines in my VLAN. But now, as you can see in the attachment, there are NO rules for that VLAN and it states all incoming connections on this interface will be blocked. Yet I can still access machines on that VLAN from machines on another VLAN....
Also, if I wanted to block all other VLAN traffic from accessing this VLAN, but I still wanted to allow this VLAN to get out to the internet, blocking the LAN interface would prevent that.
I think where my confusion comes in is that for about 20 months I had these rules setup ONLY in the individual VLANs and nothing on the parent LAN interface itself and things were working fine. Then it just stopped. If I am allowing all traffic into the LAN interface, wouldnt the individual VLAN rules then decide if that traffic can access those interfaces?
You mentioned creating an IN rule on the interfaces I want to block traffic from. I disabled the IN and OUT rules for this one VLAN. Since OpnSense says traffic is blocked unless specified, shouldnt that block anything getting in or out of that VLAN? Yes, the allow all rule is still on the LAN interface itself, but the rules are applied to the VLAN (which again is one of several VLANs created off that same LAN interface)
Reading the documentation again, but I just dont understand why what I had setup and working no longer does!!
Thanks for being patient and responding with informaiton, I do appreciate it.
I have tried to explain the theory behind the fw rules as clearly as possible, but obviously I have not succeeded.
So simply do this. On an interface that you want to block traffic from (eg you want to block traffic from VLAN2 hosts to VLAN3 hosts), create a rule like the following, and place it above any "allow any" rules on that interface:
Action: Block
Quick: Checked
Interface: VLAN2 (for example)
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source / Invert: Unchecked
Source: VLAN2 net (for example)
Destination / Invert: Unchecked
Destination: VLAN3 net
Destination port range: any
Description: Add one if you wish to
This is all I have for you. Good luck.
Sometimes I need beat over the head before something sinks in....lol
I got it now.....its doing what it should as well.
Thanks again very much for the assistance.....and repeating yourself to help beat it into me!!
Well I did wonder about the directions of traffic and whether it was counter to logic. So with the best will in the world this needs a much more detailed explanation in the documentation judging by how many times this is misunderstood just going by the number of posts in forums on this very matter, with perhaps a little explanation that the way firewalls work is counter to logic so you explain it from how a normie would approach it vs how someone whose in know would expect.
It also makes me wonder if based on the fact this seems opposite to what someone expects perhaps the UI is wrong? From a not configuring this wrongly and scaling point of view it would make more sense to have the block rule on VLAN3 (using your example) to prevent anything coming in from VLAN2 or later on VLAN4 until you expressly allow it. But if I set a rule on say VLAN2 with "out" using the inverse logic should then do exactly that?
My other point was aren't VLAN's supposed to be separated from each other by default?