Hi Everyone,
Definitely, the question was discussed before, but I still did not find a clear answer.
I have OPNsense inside a hypervisor (Proxmox) and would like to have all my networks
isolated from each other.
So, in case the number of networks (actually interfaces, Opt1...x) grows over time, what is
the best way to automate their isolation from each other or at least make it easy?
thanks
Only the default LAN gets very permissive FW rules (essentially allow any to any on any protocol).
Additional interfaces have a very small auto-generated set (up to DHCP). No DNS, no internet, no other networks. You need to add rules based on your needs.
If LAN isn't supposed to have wide access, you need to dial back the default rule.
Quote from: EricPerl on January 04, 2025, 09:28:54 PMthe default rule.
Hi, you mean alter somehow autogenerated rules? If yes I think it is not a best way, becouse (maibe I am wrong) update to a new version will cancel the changes.
updates won't mess with your firewall rules, so no.
What you could do is create an alias with RFC1918 plus your static IPv6 /56 or /48 prefix and then create a "block all traffic to RFC1918" rule above the allow everything rules. That way VLANs can't communicate with each other.
Answer is VLANs.
By default when you create a "NEW INTERFACE" it has no rules, thus it can not communicate with Internet nor Intranet.
You can then permit per Interface what should communicate where. If for example you have a VLAN/Network that should access Internet but not Intranet you can specify a rule with reverse statement like this >
IPv4 TCP ACS_uTRST_INTER net * ! Private_Subnets 443 (HTTPS) * * Allow-unTRUST-to-WEB-HTTPs
ACS_uTRST_INTER
- this is a Group, that specifies all untrusted VLANs, you don't need groups this can be as well the Interface net on source
! Private_Subnets
- is an alias that specifies the RFC for private subnets. The ! mean inverse meaning, allow if destination is not an IP from this Range
This rule basically does allow Internet access for HTTPs e.g access INgress to all that doesnt have a Destiantion of private IP port 443
Regards,
S.
Quote from: il on January 05, 2025, 10:30:36 AMQuote from: EricPerl on January 04, 2025, 09:28:54 PMthe default rule.
Hi, you mean alter somehow autogenerated rules? If yes I think it is not a best way, becouse (maibe I am wrong) update to a new version will cancel the changes.
There are "automatically generated rules" that you can't edit.
But during install, LAN is getting an allow IN (from the FW's perspective) from any to any using any protocol and ports. It's called "Default allow LAN to any rule". 2 rules in fact, one for IPv4, one for IPv6.
You can definitely edit/delete that these and replace them with your own rules, as appropriate for you. Updates do not interfere.
You can even delete the entire interface (I only have VLANs)... and whatever rules were bound to that interface were deleted too.