OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Taomyn on January 22, 2019, 09:44:14 am

Title: How to enable restricted traffic between local networks?
Post by: Taomyn on January 22, 2019, 09:44:14 am

I have two separate local networks on my firewall, on different NICs each with it's own subnet. One is designated LAN (192.168.1.x) the other GUEST_LAN (192.168.100.x) and each has their own access point set up. This is all working well without issues except for one thing - I cannot manage the AP or any other resources on GUEST_LAN whilst connected to LAN. It's not the end of the world as I can jump onto another device on GUEST_LAN, but it's sometimes a little frustrating.


Is there a safe way to enable access for all devices on LAN to access all devices on GUEST_LAN but not the other way? I'm not sure what I need to configure to get this working or if it's actually possible or even advisable to do this.

Title: Re: How to enable restricted traffic between local networks?
Post by: ab5g on January 22, 2019, 02:45:15 pm

This is pretty much a standard configuration. You can safely enable this by

Firewall: Rules: LAN
Source LAN Net; Destination Any ; Action Allow

Firewall: Rules: GUEST_LAN
Source GUEST_LAN net; Destination !LAN Net: Action Allow

Title: Re: How to enable restricted traffic between local networks?
Post by: Taomyn on January 22, 2019, 04:10:05 pm

Quote from: ab5g on January 22, 2019, 02:45:15 pm

This is pretty much a standard configuration. You can safely enable this by

Firewall: Rules: LAN
Source LAN Net; Destination Any ; Action Allow

Firewall: Rules: GUEST_LAN
Source GUEST_LAN net; Destination !LAN Net: Action Allow

I already have rule on the LAN part of the firewall doing exactly that, yet I cannot contact anything of the other network from either network. It's the default rule.

Title: Re: How to enable restricted traffic between local networks?
Post by: Nico on January 23, 2019, 01:43:46 pm

Enable logging for certain rules and see if an earlier rule applies or if those rules apply at all.

Title: Re: How to enable restricted traffic between local networks?
Post by: Taomyn on January 23, 2019, 02:36:24 pm

Quote from: Nico on January 23, 2019, 01:43:46 pm

Enable logging for certain rules and see if an earlier rule applies or if those rules apply at all.

For LAN and GUEST_LAN I only have the default allow rules, all the other rules under "Floating" and "WAN" are for external networks.


I tried to add a source:"LAN net", destination "GUEST_LAN net" under "GUEST_LAN" but that made no difference.

Title: Re: How to enable restricted traffic between local networks?
Post by: Nico on January 23, 2019, 02:40:11 pm

Yet again: enable logging for those to see if they match or not.

Title: Re: How to enable restricted traffic between local networks?
Post by: Taomyn on January 23, 2019, 04:09:42 pm

I enabled logging and also the extra logging from the system settings, and the only hits for the IPs on GUEST_LAN were these