OPNsense Forum

Someone please help. This should be a simple question but, surprisingly, my searches found no concise answer.

My pc / router has a couple of empty ports. I want to add a 2nd subnet to one. It needs internet access but no contact with the main LAN. It's for IoT items, like thermostats and light bulbs. I'll plug a dedicated wireless access point into it.

I have figured out the interface assignment and the DHCP and it works fine. The Firewall is the problem. I figured how to isolate the IoT subnet from the LAN but I can't get internet access to the IoT interface. Google searches are absolutely useless for this simple question.

I gave up trial and error after an OpnSense backup was needed to fix my firewall mistakes.

Google AI is incomplete with the firewall entries and often wrong when it offers advice. Lots of videos drone on never to the point and too vague in the early parts for me to watch to see if the end is just as pointless. Then people confuse subnets with VLANs. (I have a VLAN using a TP-LINK smart switch for isolation and discovered the switch is too unstable to depend on. Thus, the subnet approach.) I'm old enough to remember when YouTube videos were like taking a seminar, and not pointless vanity projects like today.

Can someone offer a simple cookbook recipe for this? Nobody else has, surprisingly.

Thanks in advance.

Create the interface as usual. It will have no access to anything.
Create an alias for RFC1918 addresses, call it something like "private_nets" or "rfc1918"
Create an Allow rule where source is your IoT port address and destination is private_nets with Destination/Invert ticked.

Other rules are possible. The above will give your IoT devices internet access without them access to anything local. It is all in one rule, not separate as you seem to imply.

Thank you. I will try it tomorrow.

Why in the world do so many people have so much trouble coming to the point? 
--------------------------
edit: I found an internet video that corresponded to your information. The RFC1918 part is not intuitive, especially since it appears to be for internet access. Now that I know what to look for and can knowingly ignore the nonsense, I have a few good references now.
--------------------------
Someone should write down the top to bottom recipe, then post it here prominently.  I'm essentially trying to build an isolated guest network. Nothing fancy.

The RFC1918 part is new. I saw the phrase along with a need for an alias somewhere in one search, but it was mixed in with a lot of other stuff.

Just a way of doing it and probably why no "ready made recipe". There are many ways, and endless options and requirements. You can garner some of this by looking at the documentation https://docs.opnsense.org/manual/firewall.html

Quote"I'm essentially trying to build an isolated guest network. Nothing fancy."

yes but then you have a specific (as expected) setup

Quote"My pc / router has a couple of empty ports. I want to add a 2nd subnet to one. It needs internet access but no contact with the main LAN."

So now imagine the basic setup recipe would have to cater for this requirement, but not for one with no internet access, or with access to the main LAN. Now you see this basic setup has at least 4 permutations. Then that applies only if using a spare port on the firewall.

Back to your question.
There is no way to create if-then logic in a rule, so you have to create that logic.
One way is to create one rule to allow out to all (*) so that it gets to "the internet". Then you need a separate rule to limit the all (*) from reaching your main LAN (a block rule).
This is one way of doing it. Due to ordering, you would put the block rule above the allow all:
Alternatively as passeri says, you can do it in a combination with the use of aliases.

Yes, there are certainly other ways of doing it. The one I selected holds to my "allow required then block by default" policy even though logically these can be reversed into "block unwanted then allow the rest". As coffeecup25 notes, there is already an inversion in my rule by saying in effect "the WAN is not this group" so whether one is really saying allow-block or block-allow becomes moot. It is more important to hold a single [sense of your] logical model so that you can spot errors in your own rules more easily.

cookiemonster,

Thanks for taking the time to reply. I think you missed my point. I want to use a spare router port for an isolated guest network for IoT devices that need internet access. That's a pretty well defined objective with no permutations.

A cookbook recipe is not if / then. Look at a Betty Crocker book for more examples.

I would not be surprised to see other firewall rules that accomplish the same objective (IoT isolated from LAN and Internet Access for IoT). Reading the OPNsense manual is not helpful at my level of understanding for this. Clearly written examples are.

I would like to know more about the inverted aspect as that is opaque.

If there are different rules that would do the same thing, I suspect lots of people other than me would like to see them.

Thanks for answering.

Sigh. Another one with great expectations, but this time, different ones.

Usually, people come in here and expect OpnSense to be a ready-made product for home users like a Fritzbox, only with more features / possibilities. That, it is not. It is a complex product for network professionals who can do a lot of things with it, that they never could with more limited consumer-grade products.

You, in contrast, even seem to expect a recipe for your specific situation. Matter-of-fact, this ain't possible, because in order to not dissapoint anyone with the same mindset, there would have to be a recipe for any specific situation, which cannot exist for obvious reasons.

While there are guides in the tutorial section for some often found situations, they are mostly meant as an idea pool for more specific, individual  setups. So - there can (and there should) be "if / thens".

BTW: Relying solely on those tutorials as "step-by-step" guides would be a risk: If your specific setup deviates only a slight bit, it would not work or - because OpnSense is a security product - be unsafe. So, network knowledge is a must, you will have to do your own thinking and your expectations are probably too high.

Or, as Patrick would put it: "You are holding it wrong."

meyergru,

Knock it off. You weren't born with the know how to even install OPNsense from a USB drive, let alone configure a 2nd subnet using a spare router port. Simple questions like the one I asked ALWAYS seems to bring weirdos out of the woodwork who won't play nice. Are you offended by my comments about a lot of YouTube videos now being useless vanity projects rather than helpful seminars like they seemed to be by the barrel full a decade or so ago? Your reply fits in well with the current approach to video making. People like you make forums like this a risk to even waste time on.
 
I stopped using pfSense because even simpler questions brought out even more obnoxious weirdos in their forum. OPNsense is OK, but I figured out how to load Adguard Home in pfSense in the background, using a very helpful internet article. In fact, I'm using my pfSense router to now experiment with the 2nd subnet so I can mess up with less downside. Maybe I'll change over again once it works.

I have a 'business class' Asus wireless router on order for hobby purposes. It has a ton of features not normally included in your typical retail router. Adguard home is also installed on a couple of 24/7 home servers. It's not as powerful as OPNsense but my needs are simple. And I will be able to remove a pc / router and 2 access points if it does the job. You make me want to really make it work.

I know weirdos like you take pride in getting a rise out of people and even chasing them away. Good for you. People like you make places like this of dubious value. Have you ever driven through the southwest in the countryside and seen a cow standing on a large pile of you know what? Quite a metaphor.

I will write it better shortly :)

That is quite an attitude you are presenting here.

When you say things like:

    "Google is useless for this."

    "YouTube is just vanity projects."

    "Why doesn't someone just write this down already?"

...it alienates volunteers who are freely giving their time to help. It implies they are not doing enough or that your problem is so obvious that only negligence explains the lack of a universal recipe, which is not the case as I tried to explain.

Technical forums function on mutual respect, humility, and collaborative troubleshooting – not on consumer-facing service expectations. If you require ready-made solutions without investing time to understand the concepts, a paid consultancy may be a better fit. Even then, no service includes a right to insult people as "weirdos" for helping you.

I am not falling for this framing. Your cooperation will always yield better results here.

@coffeecup25 you will find this is a very friendly place. Ok, it doesn't seem that way right now, but it is.
What you've experienced is that making a couple of snipy statements that will get some tails up.
But meyergru has written it already.

One way as I said is stop to neighbour network and then allow all out. Traffic will be evaluated and if going to "LAN net" in my example case, it will stop and not evaluate further rules.
If traffic is not going there, it will hit the last, "allow all out" i.e. internet.

Edit: Removing the attachment. Why? This guy's attitude makes it extremely hard to want to help.

Suggestion. Statements like:
"Can someone offer a simple cookbook recipe for this? Nobody else has, surprisingly."
"Why in the world do so many people have so much trouble coming to the point?  "
when you are trying something new, in a new place.. not necessary ;)

You're walking thirsty wanting to ask for a free glass of water in a shop, and you start by telling the workers that you've looked everywhere and couldn't find it anywhere, why has nobody made it easy to just get that free glass of water for anyone passing along.

passeri,

Thanks. I got it working on my pfSense router that I used as a lab as mentioned above. It did not work at first. Then I did what nobody mentioned except one video as an afterthought - I entered some dns servers on the dhcp page for IoT. Fired right up to the internet. Apparently the default won't allow the main router DNS to get through if Adguard Home has control, or maybe at all. I don't know.  Which is fine because I don't care if my thermostat is inundated with ads and trackers.

I figured out the inverted aspects now. Clever approach.

Now that the internet is working on it, I can play around with a couple of other ideas I have for configuration. I'll do it after I move it to my OPNsense router.

Thanks again.

Other guys, Is there some rule you people follow that prevents you from getting along like normal people? I  especially like how you invert yourselves into victims as you attack me.

I recommend a visit to the AITA reddit and serious adjustment of your attitude, dude.

Quote from: Patrick M. Hausen on July 06, 2025, 09:10:11 PMI recommend a visit to the AITA reddit and serious adjustment of your attitude, dude.

AITA?  Probably so, but only from your perspective. From my perspective, the Other Guys fit that description perfectly. I asked a simple question with a little flourish about my frustration with how useless the internet can be with everyone trying to be a star without a clue about how to communicate effectively. That question brought out the weirdos who hate simple questions. Out come the angry victims who don't try to stay on point but blather angrily off point and misunderstand the point of the original post. I simply decided that, today, enough is enough.

To be honest yes. People shouldn't expect just professionals to use this product, as many people are trying to deeply secure there internet. The term "elitist" mind set gets tossed around online. To be honest this is a online foremn. Where a lot of people ask questions. No one is a genius. People do dumb things. Encourage learning don't discredit. As a math tutor i learned explain to them as if they know nothing and building from the ground up helps.

Plus a products success and popularity also comes from word of mouth. those randoms "new people" can help push a product forward. Last thing a product wants is decent product bad community. It promotes less engagement.

The point is that your question isn't simple but depends on a whole lot of parameters specific to your installation and to yours only. And when professionals who are aware of that fact point it out you act all agressive.

Difficult to help in that case, but you do you.

Quote from: Patrick M. Hausen on July 06, 2025, 11:18:40 PMThe point is that your question isn't simple but depends on a whole lot of parameters specific to your installation and to yours only. And when professionals who are aware of that fact point it out you act all agressive.

Difficult to help in that case, but you do you.

The original question was to use an open port on my router / pc as an extra subnet that's isolated from the main LAN but has internet access.

That's as concise as it gets. One nice person gave me some good pointers to complete it.

You would need to imagine a lot to make it confusing.  I was not trying to victimize you. Please do not start looking for inconsistencies to what I just wrote compared to what I wrote earlier. That's generally the next step you people take. When you 'find' an inconsistency it validates your victimhood.

Assuming your existing imterface is "LAN" and the new one is "IOT", create

- the IOT imterface with an IP subnet different from that on LAN
- the DHCP configuration for that subnet - copy from LAN and adjust the address range
- create a single rule on IOT:

-- source: IOT net
-- destination: LAN net
-- destination invert: check
-- action: allow

That's all. But ...

That only works for a single pair of interfaces. As soon as you have three or more that you want to isolate from each other, that's where the "RFC1918" alias concept comes into play.

Which requires separate additional allow rules for DNS and possibly NTP etc. to the local firewall interface.

But ...

Not all situations have RFC 1918 ("private") networks for internal interfaces. Most of my firewalls actually don't. So you need another different approach - again. I use aliases named "local somethingsomething", one for IPv4 and one for IPv6. Yes, IPv6 exists and people use it in production.


That is why it depends and there is no simple one size fits all answer.

I'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate. Make sure you set the vlan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here. save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up in interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule ,a generic block rule,  encase

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan, to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases as well to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or vlan subnet, destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

Quote from: opnsenseuser8473 on July 07, 2025, 12:00:15 AMI'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate.Make sure you set the clan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule a generic block rule in case

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or lan subnet destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

As you are asking a basic question I assume ur set ups not as complex yet.

Quote from: Patrick M. Hausen on July 06, 2025, 11:46:44 PMAssuming your existing imterface is "LAN" and the new one is "IOT", create

- the IOT imterface with an IP subnet different from that on LAN
- the DHCP configuration for that subnet - copy from LAN and adjust the address range
- create a single rule on IOT:

-- source: IOT net
-- destination: LAN net
-- destination invert: check
-- action: allow

That's all. But ...

That only works for a single pair of interfaces. As soon as you have three or more that you want to isolate from each other, that's where the "RFC1918" alias concept comes into play.

Which requires separate additional allow rules for DNS and possibly NTP etc. to the local firewall interface.

But ...

Not all situations have RFC 1918 ("private") networks for internal interfaces. Most of my firewalls actually don't. So you need another different approach - again. I use aliases named "local somethingsomething", one for IPv4 and one for IPv6. Yes, IPv6 exists and people use it in production.


That is why it depends and there is no simple one size fits all answer.

To be fair to coffee the guy went into an I can't stand these type of people statement.

coffeecup25 went into an absolutely uncalled for "I can't stand this type of people" statement. Correct.

meyergru and myself are among the regulars doing the heavy lifting week after week helping countless users for free. In our spare time.

I understand and appreciate but sometime abrasiveness isn't what's needed. For basic stuff I'll try to help out if I can learn this site.

Very much appreciated. There's nothing much to learn, actually. Just communicate like you would face to face.

If I was sitting with a customer who would ask "how much is this and that?" I would answer "it depends, can we go through the details that help me to better understand your particular challenge?"

And if I get "can't you just answer a simple straightforward question, you <redacted>?", well, I would probably try to continue that meeting once or twice in a constructive manner, but finally just terminate the customer relationship.

Assuming that "my question is simple so I deserve a simple straightforward answer" assumes that the people supposed to answer and help know your particular situation and requirements - which frequently is incompletely specified. As users seeking help tend to do.

Overreacting when the answer isn't a simple recipe but first a bunch of questions about details is not helpful.

If being a network professional for almost four decades taught me one thing it is that

- there are no simple answers
- every problem is to be considered unique unless shown otherwise

Hey, that's two things 😉

And since I invested way more time into this discussion than I'd like, already, let me phrase it again from another angle.

As a support engineer without direct (UI or SSH) access to your network I try to build a mental model of the situation you have at your place. That's challenging and exhausting, intellectually, and I need as much information as possible and very specifically when I ask a question, I need an answer to that question with just the facts. Not you jumping to conclusions based on your own understanding of the problem. If these were sufficient, you would not need my help, right?

We frequently had e.g. threads where we went through a gazillion of configuration things and after three pages on this forum the OP dropped that their OPNsense was virtualised in a hypervisor. "Why did you not tell upfront?" - "I did not consider it important." - EVERYTHING is important.

That's why meyergru and me reacted the way we did and will probably continue to do so. There's nothing toxic or gatekeeping about that, IMHO. When we ask for the facts, we have a reason. As long as my mental model of your setup is incomplete, I cannot help.

HTH, kind regards,
Patrick, network and support engineer since the late 80s.

@coffeecup25 Banking on my recently acquired "nice guy" reputation :) firstly I am happy it is now working for you. Having a test bed, even pfsense rather than opnsense, can be useful and is something I do (with opnsense).

I might apologise for omitting the possible need to check DNS settings. My own IoT setup from which I plucked the example I gave includes a rule to redirect DNS to local, Unbound, and I have a floating rule for NTP. I omitted these because I was providing general advice, because I did not know your setup or your full needs.

I am long retired from consulting where an occasional role was managing and solving business-critical problems in IT-related space. Patrick's comment here deserves nailing to a wall.

Quote from: Patrick M. Hausen on July 07, 2025, 01:08:23 AMI try to build a mental model of the situation you have at your place. That's challenging and exhausting, intellectually, and I need as much information as possible and very specifically when I ask a question, I need an answer to that question with just the facts. Not you jumping to conclusions based on your own understanding of the problem.

I learned opnsense having had only general involvement in networking, learning from Patrick, cookiemonster, meyergru, and others who have not posted in this particular thread as well as from reading, trying, reading again. They have different approaches, some more in tune with my own yet all with obvious expertise.

You have success for your initial question. I have always found that having supporting experts in specific domains is quite useful, worth retaining.

passeri,

I stated my situation clearly, completely, and concisely several times. i never even hinted at hidden parts. I won't repeat it since it wouldn't make a difference. Once you provided the private network bits, the clarity appeared and I could confidently ignore some of the horrid advice the internet offered in favor of people who knew something. Until then, everyone's advice carried equal  weight, meaning none were worth listening to. Now I think I know enough to make my own rules for this.

Why is it even still unclear and confusing to everyone here? And everyone today has attitude or is a victim when stood up to or not recognized  as The Boss.

Your good guy status came simply from trying to be helpful and courteous while being on point concisely. It seems to be uncommon today.

I was also in consulting long ago, not networking. I was good at it. Many of my peers bluffed their way through by providing answers to questions they knew the answers to, not the question that was asked. These people remind me of them. Everyone should have a hobby, though I don't see what you see in them.

I can't imagine ever asking for advice here again.

Quote from: coffeecup25 on July 07, 2025, 02:35:40 AMpasseri,

I stated my situation clearly, completely, and concisely several times. i never even hinted at hidden parts. I won't repeat it since it wouldn't make a difference. Once you provided the private network bits, the clarity appeared and I could confidently ignore some of the horrid advice the internet offered in favor of people who knew something. Until then, everyone's advice carried equal  weight, meaning none were worth listening to. Now I think I know enough to make my own rules for this.

Why is it even still unclear and confusing to everyone here? And everyone today has attitude or is a victim when stood up to or not recognized  as The Boss.

Your good guy status came simply from trying to be helpful and courteous while being on point concisely. It seems to be uncommon today.

I was also in consulting long ago, not networking. I was good at it. Many of my peers bluffed their way through by providing answers to questions they knew the answers to, not the question that was asked. These people remind me of them. Everyone should have a hobby, though I don't see what you see in them.

I can't imagine ever asking for advice here again.

To be fair i assumed you generally asked how to separate vans while keeping internet as that's what it sounded like. If that's not the question then I apologize. As I can only give basic connection steps at the moment that worked for me.

But if its the issue it just about separating the subnet and putting a block rule for those vlan subnets in the homenetwork interface rule before your allow rule to the internet.

Well. I tried to help from the start (post #3 with you acked on #4), then again tried see post #10 even screenshot (now removed) but you on #11 even started snide comments toward anyone else like me trying to help. After that I've fallen into the "these people" "Other guys" who are "weirdos who hate simple questions" and the target of your displeasure.
Good luck. I'm out.

I have some important listening to songbirds to do.