Being on the platform for just over a year now, it is clear as day that Firewall rules are the actual bane of my existence. This is why I tunnel, but every once in a while I'm forced to click on those tabs, and I always find myself ending in this forum after hours of reading and tinkering.
I want to create a simple IoT VLAN. I have set everything up to the letter.....until you get to the firewall rules. Everyone does it different, or just completely skips the topic.
I am politely asking anyone to chime in and tell me what is wrong (and I'm sure there's plenty) with the firewall rules for my VLAN interface, that is stopping this access point from receiving internet signal.
It's not clear that this is why your AP isn't working (possibly other network issues) but to at least get the rules sorted out:
- Move the two "Default allow... to any" rules to the bottom.
- Change the Source on the first "Default allow" rule from "WAN net" to "IoT net"
- Disable the two DNS rules and the wide open rule (3rd from bottom). Those are redundant and the Default allow rules will anyway grant access to DNS.
That'll get the rules into a good state, I think.
I don't know who this creator is, but this particular video (although dated) really helped me to get started: https://www.youtube.com/watch?v=kYFNa_zpeII. He explained the basics of OPNsense/pf rule evaluation in clear terms.
Quote from: fakebizprez on March 19, 2025, 03:44:45 AMthat is stopping this access point from receiving internet signal.
What do you mean by that? Are you referring to the OPNsense router as access point or a wireless access point? And if you refer to an wireless access point (AP), is it getting an IP address from the DHCP server you set up for that VLAN?
First, per default (and your's are that, the little yellow bolt) the rules are 'quick': the first matched rules is executed and no further rules are evaluated. Right now nothing below 'IoT net * * * * *' will ever match.
Second, about the direction of a firewall rule: per default they are in direction 'in'. That is in relation to the router, facing an interface/network. As an example for your IoT network, 'in' is traffic from the IoT network to the router (IoT network traffic is entering the router at the IoT interface). If you look from the router to the WAN interface, 'in' would mean traffic from the WAN interface/ net (== internet) to the router. 'out' is then the opposite, traffic leaving the router out to the interface/network.
Let's look at the rules, ignoring the default rules.
[Allow In] IPv6 * WAN net * * * * * Default allow LAN IPv6 to any ruleAn IPv6 rule, that will do nothing at the moment since you are on the IoT network, change WAN net to IoT net and correct the description 'Default allow LAN...' (that is of course not strictly necessary since it's only text). And as OPNenthu mentioned moved it to the bottom of the rules (because of the 'quick' rule thing).
[Allow In] IPv4 * IoT net * * * * * Default allow LAN to any ruleIPv4 rule, that rule is correct but as the above rule, if you want any other rule after it to have an effect you move it to the bottom. And correct the description.
[Allow In] IoT net * 'IoT address' '53 (DNS)' * * Allow access to DNS
[Allow In] IoT net * 'IoT address' '853' * * Allow access to DNSIf you got the 'IoT net * * * * * ...' rule, access to the DNS on the IoT net/address is already granted with the default allow rule.
[Allow In] IPv4+6 * IoT net * * * * * Another 'Allow All' rule, not necessary at all.
[Deny In ]IPv4+6 * IoT net * 'Lan net, linehaulVPN net' * * * Deny inbound IPv4 and IPv6 access from IoT net to LAN net and linehaulVPN net. If you want to prevent IoT net to access these two networks, that's the correct rule. But only if you move the 'allow all' rules to the bottom first.
[Deny Out ]IPv4+6 * IoT net * 'Lan net, linehaulVPN net' * * *That won't do anything in the out direction (see above about 'in' and 'out') since neither LAN net nor linehaulVPN net is part of the IoT network.
FWIW, not being a fan of deny rules, I suggest replacing the allow all rules with allow !private_networks (an alias that encompasses your private IP ranges).
Such a rule becomes "allow internet access".
When you need a VLAN to access another, you add the appropriate rule.
Then you don't need deny rules and you don't have to worry about ordering rules...
How is the AP connected to the router?
A VLAN aware AP would be connected via a trunk.
A plain AP would need to be connected to an access port on a managed switch (untagging traffic going to the AP, tagging traffic coming from the AP).
Thanks, for the helpful responses.
One thing I want to be clear on --- the order of the firewall rules matters? If that's the case, I can't believe I didn't know that.
First match rules are evaluated top to bottom (auto-generated, floating, group, interface).
Last match rules come last (bottom to top apparently).
Quote from: EricPerl on March 24, 2025, 01:22:51 AMFirst match rules are evaluated top to bottom (auto-generated, floating, group, interface).
Last match rules come last (bottom to top apparently).
I am embarrassed that I didn't know that. To my credit, I tunnel every chance I get.