OPNsense Forum

English Forums => General Discussion => Topic started by: fooobarbaz on December 16, 2015, 09:54:32 pm

Title: What is the logic in allowing LAN interfaces to communicate by default?
Post by: fooobarbaz on December 16, 2015, 09:54:32 pm

Hi all,

I've been pulling my hair out with pfsense and seemingly now opnsense and im struggling to understand the logic that's got me so frustrated.

I have a wan interface and at present, 4 LAN interfaces on different subnets. By default, traffic passes across the LAN interfaces and I cant seem to firewall this in a way that makes sense (at least to me anyway).

Maybe I'm just doing it all wrong but in my mind, it makes sense that no traffic should be allowed to travel across different interfaces without having been explicitly allowed.

Again, perhaps I simply misunderstand but from what I can ascertain, there are a few ways in which to resolve the issue. Firstly, a floating rule can stop the traffic but this makes management of the interface rules unintuative. I expect to be able to see the definitive ruleset for an interface on it's own tab. Using a floating rule means I have to put each and every exception as a floating rule too.

I gather I can also achieve the desired result by using the interface rules to restrict the traffic going out of the interface to any other interface, this is also not desirable as if a new interface is added, I potentially need add additional rules to each of the existing interfaces. Perhaps not so much of an issue with just 4 interfaces, but later down the line when there are 40 interfaces, this will be error prone.

In my own mind this seems such a simple thing to want to achieve so I can only think I am approaching it the wrong way and that there are valid reasons for allowing traffic across interfaces by default so I'd be grateful if someone can explain why it works this way.

Title: Re: What is the logic in allowing LAN interfaces to communicate by default?
Post by: Zeitkind on December 21, 2015, 01:00:11 pm

Quote from: fooobarbaz on December 16, 2015, 09:54:32 pm

Perhaps not so much of an issue with just 4 interfaces, but later down the line when there are 40 interfaces, this will be error prone.

tbh, a setup with 40 LAN-interfaces and a firewall like pfsense/opnsense is - whether it's doable or not - a fault by itself. If 40 people/companies share one single uplink, you should use a transfer net and each LAN has it's own router. IP-addresses are not that rare.

But, anyway, yes, it's debatable to close or open LAN-interfaces by default. Some vendors/distros close everthing by default, some open all. I don't prefer one, it's just a matter of reading the docs. If you have multi-NIC devices, it's common to define a policy for LAN, OPT and WAN interfaces and assign each interface one of them with ready made rules. For SOHO firewalls like pfsense, IPCop or OPNsense etc. that would be a bit of an overkill, if >90% of the users have max 3 interfaces and make a setup more complicated than necessary.