Messages

Would you mind posting a PR for your config? I would love to post...... or just post here and I will update.

Well, I followed the same pattern as your example, that did not change.
Only thing I had to change was the interface names in each custom config file.

This was done on two separate routers (one for AT&T, one for Spectrum) so no needed change from the example you provided.

I will be combining both into the same router (have both providers so if one goes out, hopefully the other won't be out at the same time) so that is where something may have to change in the custom config. Of course the IPv6 tracking of the down WAN interface won't work, so I'll need to have config files I switch between when one goes out. And I've not worked out which subnet will use what provider when both are up, etc.

Prefixes can be skipped (I tried this), so even if I have some local subnet interfaces on one provider, and some on the other, I should be able to have a unique prefix per local subnet interface, regardless of which WAN interface it is tracking.

I initially had both in the same router, and it showed promise, but the IPv6 address tracking across multiple subnets not working is what made me switch to a two router interim solution.

Eventually I'm going to have at least 4 physical local subnet interfaces/networks using two upstream WANs. Ideally IPv6 tracking for multiple interfaces and failover for the WANs would be something the WebUI could handle. But for now the failover will likely be a manual process.

I tried this with AT&T and Spectrum. (Adjusted config files for each appropriately for each setup of course).

So far seems to work on both, but have not fully tested yet.

At least existing interfaces/subnets still work (with new prefix IDs if applicable) with IPv6.

Before using this custom config file I was not able to specify a prefix other than 0 for a LAN interface. This limited tracking of a WAN interface for IPv6 address allocation to one LAN interface only.

With this custom config multiple LAN interfaces can track the same WAN interface for IPv6 (by specifying a different prefix per LAN interface)

This is probably due to the automatic "anti lockout rule" that does some weird things with NAT port forwarding to ensure access to the UI. I disable that in all my OPNsense installations and rely on proper manual rules for UI access.

Your rule does work for TCP, don't worry. The UI is what is "special".

Yes, disabling the "anti lockout rule" makes the deny rule I added work.

I can still access the UI from an applicable subnet.

Thanks.

Short of some firewall rules to achieve this isolation, I can either:

1) have multiple physical routers, one per subnet to isolated (Currently doing this for two subnets)
2) run multiple virtualized routers on one physical machine with ample resources and multiple network interfaces.

I run virtual OPNsense instances in some setups already, this works quite well.

However, just for the purposes of subnet isolation across multiple network interfaces, I'd rather just run one OPNsense instance with firewall rules, rather than running an OPNsense instance per subnet, which is a lot more demanding on resources.

Alright, I've seen other posts on this subject and I've had limited success in doing this.

I created a separate test LAN subnet on an unused interface. For purposes of this discussion, I'll call that LAN_TEST_00

By default I can ping the Firewall's address for LAN_TEST_00 from my a computer main subnet, which I'll call LAN_MAIN_00.
I can also access the router web UI at Firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

I can go into LAN_MAIN_00 and add a block rule for LAN_MAIN_00 source to LAN_TEST_00 destination.
When and move this rule to the top and apply it, then I can no longer ping the firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

However, the router web UI at Firewall's address for LAN_TEST_00 is still accessible a computer on LAN_MAIN_00.

I have all protocols specified for the rule.

I want to be able to have separate subnets on separate interfaces that can't access each other (or even know each other exist), unless I allow such access.

Blocking all other subnets for each subnet is fine.

But in my simple test above, I can block pings but not tcp traffic, so I'm not sure how to do this.

What am I doing wrong? This is an IPv4 rule and and I'm only testing with IPv4 addresses.