Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Spiky_Gladiator on August 17, 2024, 08:27:42 PM

Title: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: Spiky_Gladiator on August 17, 2024, 08:27:42 PM
Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks
Title: Re: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: Patrick M. Hausen on August 17, 2024, 09:47:11 PM
I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick
Title: Re: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: Spiky_Gladiator on August 18, 2024, 12:35:23 PM
Quote from: Patrick M. Hausen on August 17, 2024, 09:47:11 PM
I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick

Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ? That's the issue that I came across when I used Aliases.
Title: Re: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: Spiky_Gladiator on August 24, 2024, 11:31:46 AM
Anyone ?
Title: Re: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: dseven on August 27, 2024, 10:13:08 AM
Quote from: Spiky_Gladiator on August 18, 2024, 12:35:23 PM
Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ?

There are automatically generated rules to explicitly allow DHCP.
Title: Re: How can I block access to all VLANs with 1 or 2 firewall rules ?
Post by: Patrick M. Hausen on August 27, 2024, 10:18:19 AM
@dseven discussion has moved to this thread for ... reasons:

https://forum.opnsense.org/index.php?topic=42422.0
Text only | Text with Images