OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: olivernz on September 17, 2019, 11:41:19 am

Title: VLANs and Firewalling
Post by: olivernz on September 17, 2019, 11:41:19 am

Hi all,

Sorry for asking but I just can't seem to get this sorted. I have about 5 VLANs on my network. All working fine except I can't get the FW rules working as I want them to. So HELP!! Before I go nuts. Here's the rule examples I'd need:

1) block traffic between VLANs
2) allow VLAN to a specific server
3) block VLAN to internet

Help!

Thanks heaps
Oliver

Sent from my ONEPLUS A6013 using Tapatalk

Title: Re: VLANs and Firewalling
Post by: banym on September 17, 2019, 03:40:50 pm

Hi Oliver,

if you have private networks on the vlans you could create an Alias for all RFC1918 networks and create a block rule on each interface.

Before or over that block rule you should add rules that are allowed to talk between that vlans or directly with the firewall interface (NTP and DNS for example)

After or bellow that block rule you can add rules like:
Allow: LAN 1 -> ANY : ANY


By that all traffic to your firewall or between VLANS is processed by your allow rules.
All other Traffic between your VLANs is blocked by the Block rule but only from RFC1918 networks.

Hope that helps.
For a detailed guide you can use the guest network howto as reference: https://docs.opnsense.org/manual/how-tos/guestnet.html

Regards,

Dominik

Title: Re: VLANs and Firewalling
Post by: olivernz on September 17, 2019, 10:01:26 pm

Thanks. Will give it a shot.

Title: Re: VLANs and Firewalling
Post by: olivernz on September 23, 2019, 10:26:53 am

Hi,

So tried everything again and nothing works on any logic I can fathom. You can see my rules below. All Floating rules are automatic.
I so F'n HATE firewalls. I swear if I get this going I'll write a blog post for the lost.

Most of the time any traffic from VLAN90 hits anything it goes to the default deny rule. But oddly traffic and pings work but they don't show up in the Live log! I don't get it.

Cheers
oliver

Title: Re: VLANs and Firewalling
Post by: banym on September 23, 2019, 01:35:36 pm

Have you set the allow rules to logging?

Title: Re: VLANs and Firewalling
Post by: FlangeMonkey on September 23, 2019, 01:55:57 pm

If you think the rules are correct, try resetting the states, under Diagnostics.

Title: Re: VLANs and Firewalling
Post by: banym on September 23, 2019, 03:05:58 pm

Or use the inspect functionality to see if the rules are processed.

Title: Re: VLANs and Firewalling
Post by: olivernz on September 25, 2019, 08:57:50 am

Yeah I have reset rules under Diagnostics. Did nothing. I generally check what works in the Live view. I'll try the inspect.

Title: Re: VLANs and Firewalling
Post by: Sirius1 on September 26, 2019, 01:58:03 am

Traffic blocking between VLANs will work.

Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.

Re: The VLAN blocking from your last rule, I'm really not sure how that Destination you have defined would work out. The most direct way to do this is what an earlier poster noted: Create an alias for all RFC1918 networks, then create an explicit Deny rule: Use your last rule as a guide and use 'VLAN90 net' as the Source, and change the Destination to the RFC1918 alias.

That should block traffic from VLAN90 to other VLANs.

Title: Re: VLANs and Firewalling
Post by: banym on September 26, 2019, 11:33:13 am

Quote from: Sirius1 on September 26, 2019, 01:58:03 am

Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.

Don't think that is old-school, it is good style. I tend to specify all rules as explicit as possible. This helps with debugging.