Hello ~
Soooo I have some questions - I have a protectli 6 port with OPNsense pre-installed, and I've updated it to 21.7.1-amd64
After using Ethernet to direct connect to my opns I did the updates and then added a user and disabled root.
I then connected my TP-Link 8 port to my computer and the LAN port on opns box - it worked for any devices I attach to that switch in my office - Yea!
Here's where I run into trouble - I then connect another switch (Tp-Link 5 port) to em2 on my opns box - and enabled it from Interfaces in opns. I noticed that my LAN was already enabled (probably why it was working) and so I assumed I should enable my second interface for the other switch in another room. But nothing I connect to that switch will access the internet. I know nothing about networking, but started this journey because I want a home network which is 90% wired, and much more secure all around.
Now there is a lot to this stuff, and I mostly just guessed at trying to set up the second switch - So I'm here asking for your help.... I set the em2 to use static ip4 like my LAN interface, but with the IP of 192.168.10.20/28
all other settings are the same. OPNS shows all 3 working (green) - LAN WAN & em2 on the dashboard.
Can someone point me in the right direction?
Thank you
The only interface that has default allow rules (to the internet) is LAN. More or less as a concession to simple use cases (LAN and WAN with NAT) that work 'out of the box'. Default deny is common in firewalls.
Any additional network needs explicit rules to access anything (LAN, internet, or other networks).
Simplest alternative is to plug the 5-port into the 8-port, trickiest is to bridge some firewall ports into the LAN ;)
Bart...
Hey Bart, thanks for the reply!
I've been reading/searching since this post and so I think follow you -a little bit- ;)
It's a Firewall (OPNS standard setup) issue?
I thought the (OPNS standard FW setup) was mostly just like an off the shelf router = allow all..... but based on what I've been dealing with something is blocking that other switch for sure.
So I looked at the FW rules and I do not see any for my other interface - your right.
Not able to find good info for those just starting out to all things home-network/router I have planned my home network from my imagination - using switches, I now realize, like most would use VLANS. I imagined I'd limit things on certain switches because my home-net is going to be very a simple in layout. Only devices in my office/LAN need more complicated/fuller range access. This em2 switch should be limited, but that is a huge learning for me just now - I'm working my way up to such things a FW rules and limited certain assess. While answering this I managed to kill my LAN internet access, I know not how LOL
Q: Wood setting up a VLAN for this other switch help my troubles, or would it just be a different way not necessarily better.... This second switch is for my Living room TV and laptop, Ethernet wired, only. I will add one final switch, same as the second for a bedroom, same use situation.
Q: Can I just add a FW rule to accept the other switch? I have 6 ports on my box, I hate the idea that using any past the LAN is going to require I wait months to learn and not bring down my router. I'd prefer good security, but I'd settle on cloning the FW rule for my LAN and pasting onto my em2 interface - this sound like very bad practice to me though.
Please forgive the newbie questions - I have researched books and such to help get a bit up to speed, but complaints on them all from new to it all people that they are for those in the professional sector and/or assume to much base knowledge and/or do not give any steps just generalities and theories - Sigh
There is a huge gap in this space, if I may say so - people who want to learn, be more secure, and self sufficient, but do NOT want to become an expert, network manager, etc. They like myself are pulled in other directions, diving to deep is just not an option. Just good enough to secure one's home, yet better than trusting off-the-shelf.
As always - Your help is greatly appreciated, again :D
Quote from: cw-me on August 28, 2021, 09:27:25 PM
my home-net is going to be very a simple in layout. Only devices in my office/LAN need more complicated/fuller range access.
You don't need VLAN's if you only have to split your devices into two groups (Office/LAN and the rest). VLAN's are useful if you have devices of different classes on multiple switches around the house.
I would cable your office switch to the LAN interface on the firewall and assign OPT interfaces for other devices that need restricted access and only allow the rules that they need (e.g. internet access).
You're right that there is very little networking info for beginners out there but there is no way to avoid the topic when talking about firewalls, since they're network devices. Check out a MOOC like this one: https://www.udacity.com/course/computer-networking--ud436 and bail out when it gets too complex. At least it's cheaper than a CCNA :)
Bart...
Okay, good to know ;)
Thanks
I have another question regarding your words "Any additional network needs explicit rules to access anything (LAN, internet, or other networks)."
Can you point me to some basic how to for setting FW rules for an interface other than LAN? I thought about cloning the LAN rules and assigning those -as a total guess- but my gut says unforeseen issues will arise.
I feel that this isn't the place for those just getting started to rolling their own, can you point me to a place, maybe for a different router OS where I can get the basics? Just thought I'd ask :D
Simplest firewall rule for an OPT interface:
Source *
Port *
Destination !LAN Net
Port *
Schedule *
That allows any device on the OPT network access to anything but your LAN. Remember to set DHCP that issues an internet DNS.
Bart...
Perfect! Thanks Bart ;D