OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: daniel78 on January 03, 2019, 08:30:08 am

Title: Many VLAN/zones/interfaces - Internet access only from zones (again)
Post by: daniel78 on January 03, 2019, 08:30:08 am
Hi!

Sorry if my first question is a) a stupid one and b) has been asked quite some times (at least according to a quick google search thats the fact), but I am asking it because I did not get the answer right... Thanks for your help!

I have an opnsense device with loths of interfaces/zones/VLANS. And most of these "zones" are internet access only and there should be (mostly) no zone-to-zone-transfer. Firewalling sounds easy at first.

Everything that isnt explicitly allowed is blocked. But how to allow "Internet" access for zones?  There seems to be no alias/object for "internet" - so there needs to be an ANY ANY ALLOW Rule for Internet access, doesnt it? Other rules need to BLOCK access to the other zones manually to make this setup work. I have read about the RFC1918-alias workaround to, well, work around this, but is this still the recommended way of handling this?

Is there another option which I am missing? Is there planned change? Is this changeable? Sorry, I have very little backgorund in pf  and BSD* - coming from a linux firewall which just had an "Internet"-object to use in the ruleset...

Again thanks for any help on this.

Best regards
daniel

Title: Re: Many VLAN/zones/interfaces - Internet access only from zones (again)
Post by: Mks on January 03, 2019, 09:41:09 am
Hi, you create an Alias RFC1918 (only private addresses) and invert the destination in your internet access rule.

Destination !RFC1918 (exclamation mark is important) means all IPs except private address ranges (which is the Internet  ;)). Nothing wrong with that.

br