OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: vikozo on October 14, 2020, 08:53:18 am

Title: iot VLAN should not go into the LAN
Post by: vikozo on October 14, 2020, 08:53:18 am
i have a WLAN with SSID "iot" on a VLAN 42!
on the opnSense i got the VLAN as network and conected to the LAN Port.
DHCP is giving out IP Adress to the iot SSID from the VLAN 42

Now i have LAN where the computer/laptop are.

now the rule about this vlan should be
1) no access from vlan42 to LAN
2) access from vlan42 to WAN
3) access from LAN to vlan42 (else i can't configure theme)

Thanks for your help and feedback

Title: Re: iot VLAN should not go into the LAN
Post by: Gauss23 on October 14, 2020, 11:45:20 am
I really recommend to read the docs to understand how the packet filter in OPNsense works.

Usually you define your rules on the interface where the packet is incoming from.

So in your case:
1) on interface vlan42 a block rule for destination LAN network
2) on interface vlan42 an allow rule for destination any
3) on interface LAN an allow any (or whatever ports you want to open) rule destination vlan42 network

you even could combine 1 and 2 into one rule. You delete rule no1 and change rule no 2: You just need to set the destination to your LAN network and make that entry inverted by the checkbox above. That rule then means: everything what is NOT destined to your LAN network is allowed, in this case the WAN. You can create an alias which holds all your local networks and use that instead of "LAN network" as destination.