OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: keropiko on August 20, 2019, 01:06:30 pm
-
Hello all,
i have setup some vlan networks with rules on my firewall to block traffic from some vlans to others.
On all vlans i have enabled also the proxy with antivirus at port 80 with nat rules.
Everything is working fine, except traffic on port 80, that all vlans can access to each other vlan.
For example, a device in vlan20 can access a device web interface in port 80 at vlan 30.
I think this is because NAT rules, come before Interface rules in firewall? i have tried to move the nat rule for the proxy, at the vlan firewall rules below the block rules but nothing happens.
If someone can help me how to setup the rules so i completely block also all traffic of the proxy between the vlans.
Thank you.
-
Does the proxy run on opnsense? Then you can just allow port 3128 (in your case port 80) to "this firewall"'. Then only connections to the vlan interface addresses of opnsense are allowed.
In case of transparent proxy, create an alias with your local address space (usually RFC1918) and add it as NO REDIRECT rule before your proxy redirect rule. Then cross vlan traffic will not be forwarded to proxy and only pass if a firewall rule exists that allows traffic.
-
Hi and thank you for the reply.
Yes i have it in opnsense as transparent proxy.
As you told me, i have made a NO redirect NAT rule to rfc1918 , above the redirect NAT rule for the proxy, and now the devices from the different VLANs cannot access the devices on port 80 at the other vlans.
Now the problem is, that even with firewall rules, if i want to permit access from specific vlans to some of the devices on port 80 at the other vlan, it does not work.
Secondly, i get 503 errors, at devices with http to https redirection on lan accessibile through dynamic dns with Nat reflection enabled so i have inserted the wan dynamic ip with the rcf1918 exception to the no redirect rule.