OPNsense Forum

English Forums => 23.7 Legacy Series => Topic started by: tdalej on January 17, 2024, 11:39:29 pm

Title: [SOLVED]Firewall rule to isolate subnets from one another
Post by: tdalej on January 17, 2024, 11:39:29 pm

This is getting to be a steep learning curve :)

For the most part so far(with some real weirdness), the WAN and LAN traffic seem to be working as expected.
DHCP active on LAN (I'm typing this from a desktop connected to LAN right now on a DHCP lease.

I need to setup several other "LAN" interfaces for various purposes -- some of them need to be isolated from everything but the internet and one is just for traffic to another building.

So, I have configured so far:
WAN
LAN
(Both working pretty much as expected)

WLAN         192.168.15.0/24
Work           192.168.50.0/24
10GLAN     192.168.40.0/24
Outbuilding 192.168.30.0/24

For most of this, /24 is overkill but it keeps it simple(ish).

I can match the physical interface in the UI by observing the display in the console --

WLAN   (igb3)      192.168.15.1/24
Work     (igb3)      192.168.50.1/24
10GLAN  (ix1)      192.168.40.1/24
Outbuilding (ix0)   192.168.30.1/24

The interface names and MAC address on the console agree with the interface names in the UI.

I have enabled DHCP on Work and WLAN -- plugging in a laptop on the Work segment gets a DHCP assignment from the WLAN range.
I swap the interface to the WLAN interface and I get an address in the Work range...


How exactly are DHCP services tied to an interface?
I'm not sure what I'm doing wrong here ...



LAN is a 192.168.0.0/24

I need to create a subnet for Windows laptops.
Win 192.168.50.0./24
DHCP enabled for about 10 IPs in this range.
Access to the internet using but no access to any other systems behind the OPNSense box.
I don't care if it uses external DNS -- I need these latops completely isolated from the internal network as a priority.

Instead of a LAN to Any rule, would the proper way to do this be Windows to This Firewall rule?







I created another subnet by adding an interface with a different 192.168.0.0/24.
Enabled DHCP, booted a laptop connected to that interface ...
I can see that it gets an IP on the

Title: Re: Firewall rule to isolate subnets from one another
Post by: cookiemonster on January 17, 2024, 11:55:45 pm

The DHCP service when you enable it on the interface, will work out the range available from the interface settings i.e. /24 will show you an available range of from 1 to 254. From it you carve the dhcp pool range.

Getting an ip from a range on an interface can only happen if the client's traffic is hitting that interface. Check maybe you have a switch port misconfigured or another dhcp server in the network.

Networks on interfaces are isolated by default except first lan that has access to all (default allow) but you can alter that rule or remove it and create your own.

Title: Re: Firewall rule to isolate subnets from one another
Post by: tdalej on January 18, 2024, 12:00:48 am

Thank you -- I retraced the two igbN interfaces.
Opposite ends of a quad port NIC.

PEBKAC.

Happens a lot to me these days :/