OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: marcelmah on April 21, 2020, 04:06:24 pm
-
Hi,
I've been configuring a guest VLAN for guest WiFi.
I have it working (really simple! including traffic shaper), but I can't get it to block inter VLAN routing.
My guest LAN is VLAN 38 and I do not want it to be able to ping / access anything on VLAN 1.
I searched and as far as I understand it should block it by default. So I compared a new install to mine and all the rules are the same (mine is an upgrade from version 16 etc etc I think).
To test if it works I have created a new VM (everything is running on ESXi) and booted Ubuntu live. This VM has one network card which is it the 'port group' Guest which is in VLAN 38.
The VM gets a DHCP address from OPNsense in the correct VLAN and I can access the Internet, but also VLAN1...
Would like to know what I can do to block this, everything I tried myself (different rules) dit not work.
Disabling the rule to allow Internet does not change the VLAN1 access.
-
So how does your ruleset for VLAN38 look like? "Allow any from VLAN38 to any"? That would mean that also traffic to local RFC-1918-addresses (192.168/16, 172.16/12, 10/8) is allowed and thats why you get routed in the wrong direction to VLAN1.
In my case I have to seperate several nets with internet-access from each other (similar like you), so every interfaces ruleset starts with an "deny access to RFC1918-net" followed by the allow-any-out-rules. I'm not sure if this is the "normal" way to go, but it works...
In my company we use bsd-based genuscreen firewalls from the company genua, where I can define the in- AND outgoing interface for each rule. There the rule would look like "Allow from vlan31-net coming in via VLAN31-interface to ANY outgoing via WAN-interface". No problem with routing back into VLAN1.
A possibility I would love to have on the OPNsense <3
-
Hi,
See attached screenshot.
The last one is with a test rule which has NO effect.
My Ubuntu Live test VM can still ping to the LAN and Internet (Internet is supposed to keep working).
PS. I need to post multiple reply's because of size limit...
-
2nd attachment
-
3rd attachment
-
I'd say the last screenshot should be fine. Did you reboot the OPNsense between the test of the different rulesets? Maybe the pf's state was still alive and allowed the ping?!
-
No... will try that tonight!
-
FFS! That was it... thnx!
-
The PF doesn't check its ruleset for each packet if it's allowed to pass. He does this for the first packet of its kind and creates a state, where he remembers his decision. Your old ruleset allowed the ping to pass -> the pass was saved in a state. Your new ruleset would deny it, but the states timeout was not reached and so the new ruleset was not checked.
Under the Firewall > Diagnostics menu are tools to view and reset those PF-states. But the reboot was the most simple method in your case.
-
Also, keep in mind that Floating rules can have effect on this. They are parsed before interface rules.