I am new to OPNsense and am trying unsuccessfully to do something I think should be very easy.
At my location, we have 20 separate VLANs. I would like to allow ALL VLANs full access to the WAN (Internet) but only allow IntraVLAN communication between two of the VLANs and the rest.
I know I could go to each VLAN and create individual firewall rules to Block and Allow communications between every single possibility. But since there are so many VLANs I would like to group things and just allow what is needed.
Basically, this is what I need:
- Allow traffic from VLAN 1 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 1 to ALL)
- Allow traffic from VLAN 2 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 2 to ALL)
- Allow only Internet traffic from all other VLANs - This is the question: How do I allow this without at the same time allowing communication to the other VLANs?
I don't want to have to create a block rule from each VLAN to every other VLAN (there are just too many)
I have tried multiple options to group the VLANs in different ways and create Block Rules and Allow rules, but unless I do this to EACH and EVERY VLAN individually, I am not getting the correct results.
There are a few ways to do this. Most important thing to remember: Everything that's not explicitly allowed is blocked by default (that's for inbound, with a few exceptions).
Create two groups:
"AllVLANs" (add all of them) and "InternetOnlyVLANs" (add the 18 restricted ones).
On the InternetOnlyVLANs group, create a rule: allow 'InternetOnlyVLANs net' to !'AllVLANs net'
You can do this by enabling 'Destination / Invert' and setting the destination to 'AllVLANs net'.
If you need to access OPNsense itself from the Internet-only VLANs (e. g. for DNS), you need to add an additional rule to allow this.
Cheers
Maurice
Maurice,
I knew this could not be that difficult, but I did not understand what "invert the sense of the match" meant until you brought it up.
Thank you so much.