Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: Lowrider614 on March 09, 2023, 01:04:33 PM

Title: <SOLVED> Rules to access internet with multiple VLANs and IPv6
Post by: Lowrider614 on March 09, 2023, 01:04:33 PM
Hello,

I just switched from Sophos UTM to OPNSense so I am still new to OPNSense.

I would like to understand what is best practice to create firewall rules in OPNSense in the followin scenario.

One WAN interface
Four VLANs to separate my network
IPv4 and IPv6 enabled and running on all interfaces and (sub)nets

Target:
Allow internet access from the different internal subnets to the internet without allowing inter VLAN traffic.
Have as few firewall rules as possible for that.

In Sophos there is an object called "Internet" that you can use instead of "any" and by changing the standard Any -> any rule it is achieved what I want.

After reading through here https://forum.opnsense.org/index.php?topic=28447 I guess its not that easy in OPNsense.

Hoping for tipps and already thanking you in advance,

Tim
Title: Re: Rules to access internet with multiple VLANs and IPv6
Post by: Wirehead on March 09, 2023, 07:36:59 PM
For IPv4 on one of those "private" subnets, that should not talk to other "private" subnets, I have a rule with a negated destination (e.g. !rfc1918). It basically says "allow to all, except private ipv4 addresses"

For IPv6 "private" subnets, that should not talk to other "private" ipv6 subnets, I have a rule that allows to "*" (=anything), but in the GW, I put my WAN_GWv6.

That seems to do the trick :)
If anyone has a better idea, do chime in :)
Title: Re: Rules to access internet with multiple VLANs and IPv6
Post by: Lowrider614 on March 10, 2023, 10:03:09 PM
Thanks, sounds like a good idea. I will give it a try.
One question: Why not make the same approach for IPv4? Shouldn't it work the same way?
I just like to keep things simple, so having the same scheme for IPv4 and IPv6 will allow my stupid brain to realize quickly in a couple of month why I did that this way.
Title: Re: Rules to access internet with multiple VLANs and IPv6
Post by: Lowrider614 on March 29, 2023, 09:25:24 PM
This solution works.
Thanks!
Title: Re: <SOLVED> Rules to access internet with multiple VLANs and IPv6
Post by: shudut on October 25, 2023, 07:31:58 PM
Hi,
Could you also tell me the Firewall Rule for VLANs to access Internet?
Currently my hosts machines get allocated with VLAN 10 IP address through DHCP 192.168.10.x (Using VLAN tagging in TPLink Switch), but these machines could not able to access Internet.
My VLAN interface is build on LAN parent, that leads to a question should I change it to WAN?

Any leads would be highly appreciated.
Title: Re: <SOLVED> Rules to access internet with multiple VLANs and IPv6
Post by: Patrick M. Hausen on October 25, 2023, 07:40:20 PM
I proposed an alternative approach for IPv6 here:

https://forum.opnsense.org/index.php?topic=28447.msg138309#msg138309

HTH,
Patrick
Text only | Text with Images