So, fairly new to Opnsense, but I think I've figures out the most. But have some questions regarding default FW rules and limiting access to vlans.
The goal is to deny all intervlan traffic, as it currenty is by default. And initially open up for each vlan in a controlled manned. By default I want to allow web browsing only to the internet, not intra-vlan.
I tried to apply the default allow rule for lan,
which is
Interface: lan
Direction:in
tcp: IPv4
Protocol: tcp
source: lan
destination:any
destination port: web_browsing (changed this from any to m y defined alias group).
So far this makes perfect sence, but the problem is related to destination. Since there is no defined "endpoint" for the internet as a whole, only the "any" destination. So by using this http traffic is allowed to each vlan as well. This is not something that should be widely allowed.
So my question is (or feedback) for what I plan to do, for this seems to solve my challenge:
I create an alias group containing all my vlans (vlan1, vlan2, vlan3,vlan4, vlan5), this is called local_networks. I've alse created an alias for http and https called web_browsing. All my vlans are assigned to the lan interface and the lan interface has no IPs assigned, it only servers the vlans I've defined.
Then I create a new default rule which will be the last "allow" rule to evaluate before my default drop rule. The rule would look like this (If I would put it on my vlan1):
Interface:vlan1
Direction:in
tcp: IPv4
Source: vlan1 net
Destination/invert: yes
Destination: local_networks
destination port range: web_browsing
As far as I understnad this will achieve my goal to still limit traffic between the vlans, all webtraffic is only allowed for the internet, and it will not be possible to browse websites on the internal lans, if I need that I should create dedicated rules, explicitly allowing access to web traffic on the vlans, and place those rules above this default rule.
Any feedback would be grately appreciated, either confirmation that this makes sense or if there are better ways to achieve my endgoal.
/Mming
Hi,
you hit the right spot. There is even a more general solution to this for IPv4 based networks:
Simply define an alias like RFC_1918 and throw in all private network IP ranges as specified
Quote10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Then define a rule for each local IF to pass traffic on ports 80,443 (use a port alias for this!) what is not directed towards RFC1918. That'll safely block everything other than HTTP(S) towards internet. However, OPNSense Webgui is only accessible from LAN in that scenario (due to an automatic anti-lockout rule). For others you need to define exceptions as you did. The order of rules is quite important.
BTW: In order to not define that rule on every IF you may want to have a look at interface groups. I do have one called local interfaces where I put this general stuff in. However, those are executed before the more specific ones per interface. That may cause trouble when not dealing properly with first/last match options in the rule.
Hi, and thanks for the confirmation and suggestion about the RFC 1918 groups. Tried that and it worked really well.
Do you recommand to have the general rule as a floating rule, or defined in the "grouping" for each interface. It was my understanding that floating rules would be checked first and if any traffic matches that further processing would stop. But what I see is that if I have the default allow rule for http(s) for !rfc_1918 inter vlan traffic would be stopped, as intended since this is a match. But If I add and additinal rule for vlan1 with ANY as the destination I will be able to access both external sites AND the internal http(s) sites.
Shouldn't the floating rule take presedens and stopp traffic intended for the internal vlans even though I have an allow any/any directly on the vlan?
What am I missing here?
/Mming
Hi,
in general you can use floating, interface groups or per-interface rules. The order of the rules is described in OPNsense doc and the web gui also shows it in the correct order. You can unfold all rules being applied to one interface.
I personally don't use floating rules for anything else than general blocks (spamhaus DROP, DROPv6) because I never want this to happen. In any other case, I utilze interface groups that I set up to form security zones. Hence, I would add that specific !RFC_1918 rule to one or more matching zones.
My interface rules are usually empty or very limited as the membership to zones / groups define what's going on.
So my recommendation is to keep it consistent. In larger setups you don't wanna jump around all the time and always catch an edge case to work around.
Regarding your question: You should check the first match option in the !RFC_1918 rule. If this is not set, the rule is evaluated but evaluation continues and waits for another rule to match. If that's the case, the latter one wins. See also https://docs.opnsense.org/manual/firewall.html#processing-order