ok, this is a double question tech its about firewall rules but it has vlan so if this is in the wrong area i will wait to get yelled at by the mods.
( a picture setup of the network is here https://ibb.co/c3nNx2P )
https://ibb.co/c3nNx2P (https://ibb.co/c3nNx2P)
my network has about 11 vlan
only about 6 are being used the rest are place holders currently have NO ip/dchp/ and are turned off but even with OUT them this issue happens )
all networks are dchp on there own .
the set up is as follows (bxe4) = wan (fiber)
bxe5 = lan (main lan only "out" of the firewall fiber cord
vlan 2,3,4,5, (all are wifi) from a unifi point
vlan 6,7,8,9 all are spot holders for the time
vlan 10 server
vlan 11 sfp switch (test area) not being used but set up
a little art of the network is uploaded here i KNOW some of the ip's may upset ppl i do not care it does not matter what they are .
lan fire wall rule 1 any > any (this will get internet on the lan and touch all vlans)
OR rule 1 lan > any ( this will also get internet and vlan on all vlans so no separation)
M's network (my mothers set up)
any > any = all networks + internet
moms net > any = all networks + internet
any other setting = broken everything
HOWEVER if i set up ( server > momsnet or momnet > server ) (i forget at this point) it will allow the server to be touched on its vlan but no other vlans or internet to be used.
this to me does not make much sense sense the internet wont work the same but whatever. what the heck am i donig wrong ?
im following directions i found here >
cheat sheet
https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules
the idea of this is as follows
vlan 2 (isolated guest network internet only with added rules such as no tiktock or porn)
vlan 3 (isolated internet only allows income /outgoing as she needs to have it for GOV job they check her pc randomly spy on it )
vlan 4 main home wifi / lan's should have internet be isolated but allowed to touch server on ip x.x.x.x/8096 /8042 (jellyfin addresses )
vlan 5 no internet AT ALL but allowed to be touched from main server for recording of sec cams
vlan 10 should be able to be touched from most vlans but only on 1ip/2 ports for jellyfin http/https (internal + external )
this is the over all goal.
i have NO floating rules at all no allies nothing im new to pf/opnsense i like opnbetter but willing to change if need be im sorta lost as the rules LOOK correct but dont work as intended so now im stuck as to not knowing why
everything else (aside from vlans) is "stock" on this firewall currently i have tried 8-11 installs (mostly cuz the update to 22.7.4 breaks it totally currently)
pls give me some help point to a video (if possible include pictures of proper set up as that works better than words for me so i can compare .
i should also note ::: if at ANY time lan rule is taken from any > any OR lan > any (all internet and vlan stops working everywhere no matter any other rules .
(there is only 1 gate way i think ) standard one. no other special rules only dchp over vlan
i have discord if u pref that to here
i do not check email much but will check the reply daily for 2 weeks or so. and hope somebody will help.
pictures found here of the lan set up
mom set up
over all rules
https://ibb.co/PY6pZzQ (https://ibb.co/PY6pZzQ)
https://ibb.co/PY6pZzQ (https://ibb.co/PY6pZzQ) assignments
https://ibb.co/kQMMs0J (https://ibb.co/kQMMs0J) lan dchp set up
https://ibb.co/x2TqJy8 (https://ibb.co/x2TqJy8) lan dchp set up pt2
https://ibb.co/s20kVgh (https://ibb.co/s20kVgh) lan interface set up p1
https://ibb.co/ZhdwkTQ (https://ibb.co/ZhdwkTQ) mom fire wall rule 1
https://ibb.co/R0FB5fs (https://ibb.co/R0FB5fs) lan fire wall rule 1//
Maybe start with a simpler network then...
Ok so you have a lot going on here and a bit too much information ;)
I would stick with a simple structure of: You have 2 physical interfaces, WAN/LAN and a few VLANs. Their function, we don't really care for the sake of troubleshooting.
One question I saw was that you had a rule with: LAN -> Anywhere that when you changed from LAN-> InsertVLANnamehere, you lose access to the internet.
This is exactly what should happen as you removed the LAN's ability to leave the firewall. You essentially stated that the LAN network can only communicate with the other VLAN network and NOTHING else.
You'd have to add another rule below that with a LAN -> Anywhere/Firewall rule to get back out.
If you need video pointers, you can search youtube for both PFsense or OPN sense firewall rules and they would be applicable here. They operate almost identically (forced default rules are different, but not applicable here).
Quote from: axsdenied on September 14, 2022, 06:48:43 PM
Ok so you have a lot going on here and a bit too much information ;)
I would stick with a simple structure of: You have 2 physical interfaces, WAN/LAN and a few VLANs. Their function, we don't really care for the sake of troubleshooting.
One question I saw was that you had a rule with: LAN -> Anywhere that when you changed from LAN-> InsertVLANnamehere, you lose access to the internet.
This is exactly what should happen as you removed the LAN's ability to leave the firewall. You essentially stated that the LAN network can only communicate with the other VLAN network and NOTHING else.
You'd have to add another rule below that with a LAN -> Anywhere/Firewall rule to get back out.
If you need video pointers, you can search youtube for both PFsense or OPN sense firewall rules and they would be applicable here. They operate almost identically (forced default rules are different, but not applicable here).
ya if i dont, people say "need more info" so i gave it all i had.
the thing is , lan > any net
any > any > net
but other networks need any / any as well so both lan and vlan
lan has to stay any > any
vlan can be
any > any or (vlan name > any )
should i block all local network connections and then try to allow them by " mom > server "
if i try to block them even if the block is up top. it does not work still ;/
Quote from: Bob.Dig on September 14, 2022, 04:45:10 PM
Maybe start with a simpler network then...
why even bother to reply? you sound like one of the ppl telling me dhcp cant go over vlan "who have been in networking for years"
dont be rude clearly i dont understand the rules but i cant figure out why no need to just spam or be rude to ppl just cuz its online.