Hello,
our config is :
[ SWITCH ISP] <-> [IPCop] <-> GREEN LAN <-> [OPNSense] <-> RED LAN
What I would like to achieve is deny access from RED to GREEN, except IPCop (GATEWAY to internet).
I can access servers in GREEN which I want to prohibit. I can't use VLAN.
Your help is greatly appreciated.
Regards
ulus
Not sure why you have multiple firewalls as you are going to hit double NAT scenarios.
If I'm understanding your description, your "GREEN" side is the WAN side on OPNSense and "RED" is the LAN side.
The default rule is allow Red to Green.
(http://i.imgur.com/aM28sJG.png)
You can just remove this rule, but not sure what the goal is.
You could also add a rule that allows just to the IP of the IPCop interface, but that wouldn't allow Internet access as traffic flows through for that.
You can also block just the internal "GREEN" Server IPs and drop that if you want to allow everything else but that through.
IPCop is a workaround because at time of installation pfsense didn't support the lan cards.
Goal is internet access from RED (single PC) without access to GREEN.
Green is the common company LAN (~50 hosts) .
Customer want's a single workplace/desktop for unrestricted access to internet without access to LAN hosts.
We know this is not a usual case. A redesign needs more time to prepare.
You should be able to do one block rule that stops the RED Network from access to the GREEN and just leave the allow all after it.
Without knowing the IP/Networks, it's hard to say exactly what the rule would be.
Example:
RED: 192.168.1.0/24
GREEN 192.168.2.0/24
Block Source: 192.168.1.0/24 to Destination: 192.168.2.0/24
Allow all * * like the rule I have listed.