OPNsense Forum

English Forums => General Discussion => Topic started by: Jjabba on September 16, 2019, 03:21:17 am

Title: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on September 16, 2019, 03:21:17 am
Me and my neighbor wants to share internet connection. I run opnsense on hardware with 3 Ethernet ports so basically the idea is to use port A as WAN, port B as my LAN (I.e 192.168.1.*) and port C as my neighbors LAN (I.e 192.168.10.* or 10.0.0.*)

Both LAN 1 and LAN 2 needs to be able to access internet provided via the WAN port.
Furthermore, no communication should be allowed between lan 1 and lan 2.
I.e no samba file shares, bonjour discovery or other home network features should bleed over from one LAN to the other.

Would this be possible to achieve using OPNsense?
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: chemlud on September 16, 2019, 09:00:17 am
With correct setup of firewall rules/config you can achieve isolation of two subnets on two different interfaces. But you share ONE piece of hardware, with all risks (logs are accessible, box might get compromised one way or the other, which DNS to use, who get's how much bandwidth, etc. etc. etc.).

if you are really close with your neighbor (now), you might get this to work. But it might be tricky in the long run, my opinion... ;-)

Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on September 17, 2019, 05:08:33 am
Great! I am not very close with my neighbor but I’m on a symmetrical gigabit fiber connection so I hope that will make up for it.  ;)

If anyone has more hands on experience of exactly what type of rules I need to set up that would be helpful.
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on September 17, 2019, 06:54:44 am
Hi,

for sure you can do that. It‘s possible with multiple ways, physical interfaces or via VLANs.

However, who owns the box has full control over the traffic, question is if your neighbour trusts you ;)

br
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on September 24, 2019, 08:54:40 am
 :D The box would be under my professional supervision so that's not a problem. I just got it up running and configured it to run the separate LANs on the different physical ports. Now how should I go about blocking of the two LANs from each other? I'm guessing it's in the firewall section of the OPN web configuration interface...
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: banym on September 24, 2019, 02:01:31 pm
Hi,

basically setup the block rules on each interface.
You can follow the this guide and adapt it to your networks: https://docs.opnsense.org/manual/how-tos/guestnet.html
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on September 25, 2019, 06:46:08 am
Hi,

if you have separate LANs, then basically if you do not define an allow rule access from one LAN to another is not possible. But we do not know your setup in detail so any advice is a guessing game ;-).

br
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on October 02, 2019, 07:56:16 pm
I've now ran the setup for some time and currently I'm experiencing some 'bleedover'.
In OS X, my neighbours SMB share is listed under 'shared' in my finder windows.

Here are (some) of my DHCPv4 leases
InterfaceIP addressMAC addressHostname
MYLAN192.168.1.1200:00:00:00:00:d2access point
MYLAN192.168.1.2000:00:00:00:00:7bamazon
NEIGHBORLAN192.168.100.1100:00:00:00:00:c0access point
NEIGHBORLAN192.168.100.1600:00:00:00:00:d4DESKTOP-PC
NEIGHBORLAN192.168.100.1800:00:00:00:00:46iPhone-X

Firewall rules for MYLAN
ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4 *MYLAN net*****Default allow LAN to any rule
IPv6 *MYLAN net*****Default allow LAN IPv6 to any rule

Firewall rules for NEIGHBORLAN
ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4+6 ***MYLAN net***Block all traffic to MYLAN
IPv4 *******Default allow LAN to any rule
IPv6 *******Default allow LAN IPv6 to any rule

Does anyone know how I might block samba-detection bleed over?
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: banym on October 02, 2019, 09:06:32 pm
Check if you get tricked by IPv6. You allow everything from your neighbor to any WITH IPv6.
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on October 03, 2019, 07:09:51 am
According to your config you (MYLAN) has access to everything, at least on IPv4.

Br
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: banym on October 03, 2019, 08:16:36 am
Oh yes, the block rule on your interface is missing.
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on October 04, 2019, 06:07:56 am
Thanks! That did the trick, I added the same IPv4+6 blocking rule for traffic from MYLAN to NEIGHBORLAN and now I have no more bleed over from samba shares.  ;D

However this has made me realize something is flawed in my understanding of how the firewall operates. I am fairly familiar with how TCP/IP works, including the difference between UDP and TCP protocols etc.
My initial understanding made me reason like this:
- by blocking NEIGBORLAN to send any traffic to MYLAN, any attempt to send _requests_ AND _respond to requests_ would be blocked.
Obviously that wasn't the case.
My new Hypothesis is that:
- the bleed-over occurred because my computer on MYLAN sent some type of samba-broadcast request, which made it to NEIGBORLAN where the firewall allowed some device to "answer" that request (as it was instigated by a device on MYLAN).
Code: [Select]
MYLAN                                NEIGHBORLAN
rule in effect
CPU1           <----blocked----<     CPUX
CPU1               [nothing]         CPUX

rule _not_ in effect (bleed over)
CPU1           >----allowed---->     CPUX
CPU1           <----allowed----<     CPUX

Can someone confirm?
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on October 04, 2019, 06:19:07 am
Hi.

OpnSense works on per Interface level (incomin).
Search a bit for incoming rules this is how it works,

Br
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on October 04, 2019, 08:59:46 am
I did some reading but frankly it didn't make it more clear to me. I guess my problem understanding this stems from how the rule I set up for NEIGHBOR Lan above clearly asks me to provide Source as well as Destination. This IMO implies that a blocking rule for any traffic with destination 'MYLAN' would be a valid configuration but from what i read that is then an 'outbound' firewall block which is not how OPNsense operates...  :o
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on October 04, 2019, 12:11:50 pm
Hi,

Firewall rules control what traffic is allowed to enter an interface on the firewall. Once traffic is passed on the interface it enters an entry in the state table is created.

You should read the rule like this:

(MYLAN) Interface
IPv4 *   MYLAN net   *   *   *   *   *   Default allow LAN to any
Every IPv4 packet which arrives (incoming) at “MYLAN Interface” is checked if
-IP is within the MYLAN range,
-Port *
-Destination *

if everything matches the paket is allowed.

Ok?

br
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on October 05, 2019, 07:11:16 am
Have also a look on francos post from here to understand how opnsense handels packets https://forum.opnsense.org/index.php?topic=6587.msg30876#msg30876 (https://forum.opnsense.org/index.php?topic=6587.msg30876#msg30876)
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Jjabba on October 24, 2019, 09:14:42 am
Quote
You should read the rule like this:

(MYLAN) Interface
IPv4 *   MYLAN net   *   *   *   *   *   Default allow LAN to any
Every IPv4 packet which arrives (incoming) at “MYLAN Interface” is checked if
-IP is within the MYLAN range,
-Port *
-Destination *

if everything matches the paket is allowed.

Ok?

That is simple enough,
but what I really want to know is how I should read this rule:
Firewall rules for NEIGHBORLAN
ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4+6 ***MYLAN net***Block all traffic to MYLAN

Applying your formula I would think it reads something like:
> Every IPv4 and IPv6 packet leaving NEIGHBOUR LAN (outgoing)
is checked if
-IP is *
-Port *
-Destination within "MYLAN"
Block it.

But apparently that is not the reality, so how do I read this rule and what is the effect of it?

Also, if only incoming traffic is effected, why does the interface even allow me to add this rule in the first place?!
Title: Re: Config Two completely separate home networks with one shared internet connection
Post by: Mks on October 24, 2019, 12:57:16 pm
Hi.

You need to differenciate between you NEIGHBOR_LAN Range and the neighbor Interface.

Neigbhor Lan IP-Range is 192.168.100.0/24

Your rule :

Every packte which enters (incoming the Neighbour LAN Interface) the Neigbour LAN Interface Blocks Traffics if IPv4 or IPv6 and Destination IP is within 192.168.1.0/24 Range.

Br