I would greatly appreciate help and thank yous in advanced. I have a small network and for the most part everything is working fine but one issue I keep having. I didnt want to setup vlans and trying something I thought was easy...
igb0 - LAN (24 port managed switch)
igb1 - WAN
igb2 - WLAN - Engenius ECB600 Access Point (Strictly for IoT devices)
I have tried to create rules on the LAN side to block inbound all from WLAN net and also on WLAN to block all outbound any to LAN net but Im still able to ping a computer on LAN from WLAN and visa versa. What am I doing wrong here?? I have the default rules installed and also tried moving the block policy to the top of the chain with no luck
UPDATE: I have tried using floating rules to block any in on LAN from WLAN and no luck. Tried the quick option and without.
Start where the traffic is entering your firewall.
So, on the page for igb2 (WLAN) you create the rule to block access to LAN. This guy explains it: https://www.youtube.com/watch?v=kYFNa_zpeII
Thank you for the video, I just watched it and followed his steps and STILL cannot manage to block traffic from WLAN to LAN. Is there maybe an option somewhere I hit that could affect the rules? I have tried every combination I could think of that made sense and still am able to ping LAN from WLAN. I have a watchguard xtm for years at home and had no problems setting that mess up and sonicwall at office with no issues lol. Im debating on defaulting everything and started all over again
can you create a screenshot of the WLAN firewall rules?. Note that Ping (icmp) is a separate protocol. So i depends on what you actually want.
(https://i.ibb.co/w0rkqvN/snip1.jpg) (https://ibb.co/znHMgkh)
This is the LAN rules.. shouldnt i be able to block it here??? I just noticed in WLAN rules i had source/destination swapped and corrected it and NOW its blocking ping/anything from wlan :)
Why cant i block it from lan rules but i can stop it from wlan rules?
block it at the interface entering the firewall. So, if WLAN should not talk to LAN you should add the block/reject rule to "WLAN" (with the destination of lan net)
With other words. Items in the "source" column should usually be "*" or the "<interface> net". Remove the second line (or modify the content and change the "interface". Opnsense will move it for you)
Im used to a single firewall on an appliance and this is like a firewall at each interface. Took some beating it into my skull but I got it now.
Hey, just wanted to say THANK YOU for all your help.
Now onto setup OpenVPN.. lol :)
Thanks for your feedback!