Hi, I'm struggling with the VLAN for the guest WiFi. I've read the official guide https://docs.opnsense.org/manual/how-tos/guestnet.html, but I have a question.
Basically, a firewall blocks everything that isn't explicitly allowed.
If I understand correctly, the tutorial says to create a rule to block access to the VLANs we don't want guests to access, and then create an "any-any" rule. This configuration doesn't seem like best practice; I would expect one or a series of rules to allow only what's needed.
I should point out that by following the guide, devices connecting to the guest WiFi access the internet correctly and don't see objects on the LAN. However, I tried to configure it to only allow what's needed, but I couldn't.
I'll add some details about my network topology (very common) that might help understand what actually needs to be done to achieve this goal:
FTTH - ONT - Opnsense WAN - OPNsense - Opnsense LAN (multi-VLAN) - managed L3 switch - client + managed access point with VLAN support.
Default VLAN 1 (LAN): 192.168.1.0/24
VLAN2 (Wireguard LAN): 192.168.2.0/24
VLAN3 (Video Surveillance): 192.168.3.0/24
VLAN4 (IoT): 192.168.4.0/24
VLAN5 (Guest): 192.168.5.0/24
VLAN6 (Untrusted/Unfiltered Devices): 192.168.6.0/24
VLAN7 (Management): 192.168.7.0/24
Adguard Home is on my LAN. I have a firewall rule that allows all VLANs to reach the AGH CT on ports 53/443/853.
If I wanted VLAN5 to only reach AGH and the Internet, excluding everything else, how would I write the rule?
With the initial pass rule 53/443/853 to 192.168.1.x (AGH), I see traffic passing through VLAN5 and reaching the DNS server correctly. With other pass rules to the WAN, the most I can get is a Default deny/state violation rule.
I'm probably stuck on something I'm missing.
Since "the Internet" is by definition "all public addresses in use" and hence "any" you need to allow access to "any" for guests to access the Internet. So you need to block your local networks explicitly.
Only what is needed is exactly "everything except the other local networks".
Quote from: Mario_Rossi on Today at 03:36:32 PMDefault VLAN 1 (LAN): 192.168.1.0/24
VLAN2 (Wireguard LAN): 192.168.2.0/24
VLAN3 (Video Surveillance): 192.168.3.0/24
VLAN4 (IoT): 192.168.4.0/24
VLAN6 (Untrusted/Unfiltered Devices): 192.168.6.0/24
VLAN7 (Management): 192.168.7.0/24
- Put those in one Alias called "My_Networks" to avoid having to create multiple Firewall Rules that block each network.
- And then create a rule that's something like : Allow from Guest Network to !My_Networks
To allow Internet Access for VLAN5 (Guest): 192.168.5.0/24 in combination with your DNS Server rule.
- Also add one rule that Blocks direct contact with your OPNsense ofcourse.
/From the top of my head, did not check everything, but this should be pretty much it :)
Um, okay, I'll think about it... it seemed more intuitive to make a "pass to WAN" rule, but what you're saying makes sense.
P.S. I switched from the old rule system to the new one, so I find myself having to fix several things that used to work and now don't.
Quote from: Mario_Rossi on Today at 04:59:47 PMUm, okay, I'll think about it... it seemed more intuitive to make a "pass to WAN" rule, but what you're saying makes sense.
You could have done that on the EOL Sidewinder firewall which had a concept of "from interface X to interface Y" (or "zones" as they called them).
In OPNsense you can apply a rule to the interface to which the system in question is connected, but then the only destination selector is IP addresses or networks - not which way the packet leaves.
Users frequently confuse "WAN net" with the Internet. Nope. WAN net is the network locally connected to your WAN interface and
nothing else.
What you could do is to create an "allow from guest net to any" rule and explicitly set the gateway to the WAN gateway. This has a small chance of uninteded leaks, though. In case of IPv6 for example your ISP gateway might route packets for your other local networks back to OPNsense. For IPv4 and strictly RFC 1918 it should work ok.
But best really create those block rules or create a group named "local networks" and use "! local networks" as the destination instead of "any".
Thanks for the advice.
I was looking for RFC1918 and couldn't find it, then I realized I had to create an alias with
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Then I deleted the two rules from the tutorial and created just one with source VLAN5 and destination !RFC 1918.
Now I'm testing it and it seems to work... AGH responds because there's an upstream rule that allows all VLANs to communicate with the AGH CT, but everything in the internal VLANs isn't reachable because there's no rule that allows it.