OPNsense Forum

English Forums => General Discussion => Topic started by: spetrillo on August 18, 2020, 06:23:22 pm

Title: Internet Only FW Rule
Post by: spetrillo on August 18, 2020, 06:23:22 pm

Does anyone have a screenshot of a working fw rule that only allows Internet access?

Title: Re: Internet Only FW Rule
Post by: banym on August 18, 2020, 08:10:39 pm

Maybe I know what you mean, but this question is not clear and I don't want to answer it on an assumption.

Please describe your environment and what you intend to do with such a rule. Do you want to block traffic flow between VLANs or private networks or what is the plan behind the question?

Title: Re: Internet Only FW Rule
Post by: fabian on August 18, 2020, 08:26:23 pm

If you want to prevent local traffic you need an alias containing private networks.

Then allow all with destination !private

Title: Re: Internet Only FW Rule
Post by: spetrillo on August 18, 2020, 08:27:47 pm

I have a SSID and associated vlan for my IoT devices. No need for them to see my local networks. Just want them to go outbound to the Internet.

Title: Re: Internet Only FW Rule
Post by: spetrillo on August 19, 2020, 08:38:27 pm

Quote from: fabian on August 18, 2020, 08:26:23 pm

If you want to prevent local traffic you need an alias containing private networks.

Then allow all with destination !private

Wouldnt I block all private?

Title: Re: Internet Only FW Rule
Post by: banym on August 19, 2020, 09:22:14 pm

It depends in what order you do it.

Here an example:

1. Allow all local traffic you need with specific defined networks or aliases (Example DNS/NTP and Connections you need to work between your IoT network and your LAN)
2. Block all traffic you want to block. for example all local RFC1918 traffic for IPv4
3. Allow all traffic to "ANY"

This will allow all defined local traffic to work before the block rule blocks all local traffic that is not defined in 1.
3. than catches all traffic that goes to external IPs and allows it.