OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: iBROX on March 15, 2021, 08:22:34 am

Title: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 08:22:34 am

Hi,

This should be a simple rule but for some reason it aint working, I'll give a rundown of my setup :

VLAN 10 (Secure)
VLAN 15 (Guest)

Pc on vlan 15 with ip 192.168.15.55

I want to be able to pc 192.168.15.55 (3389) from a range of PCs on VLAN 10.

I thought it would've been a simple addition of a FW rule in the GuestNetwork in FW rules allowing this, but it doesn't seem to work, for some reason the traffic is coming from my WAN interface (Internet) instead of the internal network (VLAN 10).

Any ideaS?
 

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 09:21:39 am

Put your rule(s) on the VLAN10 interface, allowing traffic from the VLAN10 PCs to the VLAN15 PC

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 09:45:02 am

Thanks, just tried that, still nothing.

I suspect it could be a routing issue as if I do a trace from vlan10 to vlan15 it actually tries to go out of the WAN (internet) interface rather than guest network 192.16.15.1 IP/interface

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 09:46:57 am

Post screenshots of your config and rules

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 09:54:37 am

Secure Network = vlan10
Guest = VLan 15

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 09:54:58 am

.

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 09:55:18 am

.

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 09:57:42 am

As I said in my first post you need to create the rule in your first screenshot on the secure network interface not the guest network interface

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 09:59:47 am

Sorry had already tried that as well and no go..

So on secure interface (vlan 10)

Direction in or out ?

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 10:00:01 am

You’ve also got an allow any rule on your guest network - which would include it being allowed to access secure network. Presumably not what you want, judging from the names?

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 10:00:15 am

Direction IN

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 10:05:28 am

THank you!  I seem to be reading the interface direction the wrong way and I had to move the rule in the order as well, but this seems to have fixed it.

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 10:27:18 am

A lot of people get confused by that, tho it is explained in the docs. The directions are from the perspective of the interface on the firewall - so into the LAN is coming from the LAN hosts, into the WAN is coming from the internet, out of the LAN is to the LAN hosts etc. Basically your rules should always be IN unless you have a special use case in which event you probably know what you are doing lol

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 10:28:30 am

Got it, thanks again.

One other thing if I wanted to block say port 80 from IP 192.168.15.55 (vlan 15)

Would that be a rule on the Guestnetwork (vlan 15) outbound ?

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 10:30:37 am

You haven’t quite got it...

Yes rule on Guestnetwork but IN - it is coming from the PC INto the interface on OPNsense

Title: Re: VLAN to VLAN FW allow
Post by: iBROX on March 15, 2021, 10:35:20 am

Got it now!! And it's working as expected.

Thanks again.

Title: Re: VLAN to VLAN FW allow
Post by: Greelan on March 15, 2021, 10:35:51 am

No problem