OPNsense Forum

English Forums => General Discussion => Topic started by: meazz1 on January 18, 2022, 03:11:16 pm

Title: LAN and IOT VLAN firewall rules
Post by: meazz1 on January 18, 2022, 03:11:16 pm

I have created a LAN and VLAN-IOT setup for my home office.
I simply want VLAN-IOT subnet to just have internet access but not the LAN access.
I am not an IT person and not sure the rules I created, with help of the Opnsense forum and internet, are valid and protects my network.

I would appreciate any feedback.

LAN Rules
(https://lh3.googleusercontent.com/w1z_SN_7pf7pNXHh6E6s3dvmCDwObmWlAJBp9pcXY91zPGCp2YJBHxx62Pt4UfK6NvmtjxIqy5xnHYU7be2QvOFNnaegx3tjokM0yadHNgPgFQ5e3AkwxWniwdRCNmtGoAyrqzXuGQ=w2400)

IOT Rules
(https://lh3.googleusercontent.com/-kYG6dI1hLOhbfHzDsntfNYWpB0-0BgZuvwcwEH01QbEFlqoe-g-Y9plhzdeQ1Lq7Iu0piVYjmg0WpyhR9VX5a4Lx13Y-z_MGPzaqRJU8tH0OaYFgr6nnyMgcuiHL0qGyqxTrS0w9A=w2400)

Aliases
(https://lh3.googleusercontent.com/T4hWYgpNH1zRPHUcrlFbj8Ii63gKMFV1Jf8mZW5HVVTqWmceZmQYpYU0FaDzpSGRaZVeka2zjYydzvH-nIVMaJngsMPCk9iaebmj3SbOUnbPIVefRfZ563cW8hMOQ2dY6Q0DFwyhMg=w2400)

Title: Re: LAN and IOT VLAN firewall rules
Post by: chemlud on January 18, 2022, 03:24:34 pm

Hi!

As a starter: FW rules are evaluated from top of list beginning. First match -> rest of rules will not be checked. So on your LAN you allow at first ANYTHING outgoing, which will always match. So all other rules will never be checked/triggered. You have to move the BLOCK RFC1918 on top of list to make it trigger.

To allow anything outbound is not safe at all imho, but ymmv ;-)

Title: Re: LAN and IOT VLAN firewall rules
Post by: meazz1 on January 18, 2022, 04:07:25 pm

Thanks, I moved that to the top. How about rest of IOT and LAN rules look?

Title: Re: LAN and IOT VLAN firewall rules
Post by: jp0469 on January 18, 2022, 07:02:25 pm

On your 1st screenshot, those rules are for the LAN interface but you have the source as IOT net. Those rules only apply to traffic that originates from the LAN subnet with direction "in" (in means toward the firewall), therefore, that rule won't do anything.

I'm going to assume that you want LAN traffic to be allowed anywhere and IOT traffic to be allowed to the internet only. In that case, you only need a few rules. Also, since everything is blocked by default that is not explicitly allowed, always try to think in terms of using allow rules first and make them only as permissive as needed. You can always add specific block rules to the top later if needed.

So then, try this: On LAN interface, remove that block rule and leave the other rules there. Now LAN traffic can go anywhere. (You might need a DNS allow rule depending on your DNS config) On IOT interface, keep your DNS rule at the top. Delete the other rules and just add a single rule below that allows traffic to go anywhere except (inverse) the RFC1918 alias.

That should do it unless my previous assumptions were incorrect.

Title: Re: LAN and IOT VLAN firewall rules
Post by: jp0469 on January 18, 2022, 07:20:06 pm

I noticed after my last post that you also have a rule to block access to the WebGUI on the IOT interface. You can leave that rule at the bottom as it should work just fine. Another way to control this without rules is to go to System > Settings > Administration and then modify "Listen Interfaces" to only include the ones where you want to permit WebGUI access.

Title: Re: LAN and IOT VLAN firewall rules
Post by: meazz1 on January 19, 2022, 12:45:04 am

@chemlud
@jp0469

Thank you. I believe I got this working.