Messages

1

General Discussion / Re: Best Practices with VLANs, which to assign to LAN Interface?

« on: September 15, 2022, 07:46:47 pm »

my vlans are made and managed by opnsense itself  and dhcp'd across the vlan.

All devices along your path; (v)switch, access point, etc. need to use the same VLAN tag to be able to transfer packets between them. You can trunk different tags over the same physical link, but you do need to declare the same VLAN number(s) at both ends.

There are a few image sharing and on-line diagram sites that you can link to.

Bart...

https://ibb.co/PY6pZzQ

https://ibb.co/PY6pZzQ      assignments
https://ibb.co/kQMMs0J     lan dchp set up
https://ibb.co/x2TqJy8   lan dchp set up pt2
https://ibb.co/s20kVgh   lan interface set up p1
https://ibb.co/ZhdwkTQ   mom fire wall rule 1
https://ibb.co/R0FB5fs  lan fire wall rule 1http://

here is the OG post i made https://forum.opnsense.org/index.php?topic=30303.0

that shows all my seettings

to be fair its stock mostly  im still havng ssues with how to do the rules tho blocking order and such even if its a fake valn can you set something up similar so i can see how it should look (also my vlans are correct) no worries front to pack they get dchp my issue is they are "open" and i want to block them off

so they cannot see each other ping each other or anything else
minus the server that has 1 ip opn
and the cams that have 1 ip open to view camreas id like to use dns local or some kind of thing for "jellyfin" "security " 

im just beyond stuck and nbody i know uses this or vlans ;/ 

2

General Discussion / Re: Getting set up with VLANs

« on: September 15, 2022, 06:04:39 am »

Hey BathToast;

To question 1: - yes you can remove the original LAN interface, however I generally like to keep a (management) interface that is untagged in the event that things go sideways.  So you can plug into it with any ole ethernet and assign the IP address and manage the firewall if required. 

I also generally setup my (LAN) and rename it to (management) I do not set a gateway or anything but I maintain it for management and then have a Linux host that only responds with Private key authentication with an ssl forward to the firewall to lock down management of the firewall.  I am a bit paranoid.... having been a network engineer with emphasis on security for the last 20+ years created a lot of distrust.

As far as question 2 natively the bottom of all the interfaces should be an implicit deny that would deny traffic between VLAN's if you would prefer to put a deny with an any/any and log the traffic it will give you more visibility in that situation, which is generally something I do as I also send firewall logs to a local instance of splunk.

I realize this is a long response to answer your questions but I am hoping it has helped.

Thanks
Scott

   would you be willing to share (with blocked out macs duh)  your rule set up ? im having such a freaking hard time i cannot find a video walkthoughs i find dont work  i ether get internet + all vlans or nothing at all period  i cannot seem to block vlans from talking but keep internet

should i block all local  then allow by network if so do i use.net or .address
also is the in really out?  im so freaking lost i have another post with pics. but im willing to share here to i have discord if your willing pls i really need help and im running out of time.  i have till the end of the month to finish and its the 15 o.o  next month at the best .  then i get new fiber and i have to vlan off 1 network for legal reasons so reallly need help.

TwinTailTerror#1818   is discord if u want to friend here is ok  w/e i dont care i just figure posting pics of my set up might be faster there.  also if  there is a discord for open sense i want a invite i cant find it.

3

General Discussion / Re: Best Practices with VLANs, which to assign to LAN Interface?

« on: September 15, 2022, 05:58:47 am »

Make sure you don't have any 'leaks'. I.e. all VLAN tags are managed by your switches and/or your virtual switches in your hypervisors.

my vlans are made and managed by opnsense itself  and dhcp'd across the vlan.  to the other stuff
im having a heck of a issue with the vlan rules tho i ether get all internet + talk to all vlans or nothing at all
i need to see one set up via picture   dont suppose we can share pics here

4

General Discussion / Re: floating rule not working... Anybody?

« on: September 15, 2022, 05:55:57 am »

im having same type of issues with all rules  i tested it in pf sense and i get the reverse issue vs everything open everything is closed and wont open lol

im not even sure what rules should be at this point or maybe they are backwards i dont know

i once heard sense it was a server in actually means out and out means in .   (so in from should be "vlan1" meaning go out to   and out from (means coming into)

5

General Discussion / Re: Need help understanding VLAN rules

« on: September 15, 2022, 05:49:47 am »

My network has four VLANs, each represented by an interface on my OPNsense host - WAN, LAN, management (MGMT) and IoT - each with their own IP subnet.  The MGMT VLAN is for SNMP traffic, VM movement, accessing iLO/DRAC, etc.

My goal is to restrict anything originating from within MGMT or IoT VLANs from getting out, but to allow only my LAN-based hosts to initiate sessions with devices on the MGMT and IoT VLANs.

I have the default "LAN to anywhere" rules, but that doesn't seem to allow me to get into the management VLAN from my LAN-connected host.  And so I'm sure I'm just confused as to where I would put the rules for accessing the other VLANs from the LAN VLAN.  Would that be on the MGMT and IoT interfaces, or the LAN interface?  I've tried putting in rules for allowing traffic from LAN to MGMT (using both "in" and "out") on the MGMT interface, but I still can't ping or access any hosts.

Or is this a routing issue?  I was under the impression that OPNsense automatically knew routing between its own interfaces.

Might anyone be able to point me to something up to date on managing inter-VLAN traffic?  I've looked at a few blogs and such, but they seem to be for much older versions and the interface and rule management have changed over time.
Thanks!

แทงบาคาร่าออนไลน์

to get 1 valn to talk to another is TO easy imo

in your case  IOT network >  management network = pass (any)  done = works
1 rule will let the iot from iot network talk to that network
should work with no real issues.

my issue is everything or nothing gets internet i cannot figure out WHY how many rules do you need 1 ? 1 for each?  default is def not block local thats for sure even if the ip's are weird

6

22.1 Legacy Series / Re: Access to LAN host from vlan

« on: September 15, 2022, 05:46:12 am »

dchp might be a issue
if you have or even have not fixed this u can msg me i have discord can send pics of what i did and in return maybe you can help me figure out rules . cuz fire wall rules are a pain yes .

7

General Discussion / Re: how to segregate cameras from rest of network?

« on: September 15, 2022, 05:44:37 am »

make a vlan  even if its just a section of ip  that have no access you can indeed do that 

i personally need help with rules i can do the vlan part easy  enough tho. 
to do a vlan with 1 ip just make the range bigger or set aside 20 or so ip put on vlan (x)  then make x have no internet

even with out the other machine doing it, you can make it a access rather than a trunk line  and just segment it anyway.

8

General Discussion / Re: VLAN Setup Question

« on: September 15, 2022, 05:42:08 am »

duel traffic does not mess me up at all but its a homenetwork  not the huge times

you will need 1 trunk port  and that should be good if some of the vlans are upstream if not just dchp each of them (if thats what you are looking to do)

i have 11 vlan myself using 4 currently plan to expand to 6 soon but i have the work out for the 11 now
as long as your OUT port is trunked/tagged you should be ok
every other port can just be assigned to vlan (x)    your issue will be with the firewall rules a issue im trying to solve myself right now.

in order to block them off you ether have to say block all local or set up each rule im not sure tho working that part out.

9

22.7 Legacy Series / Re: fire wall rules wrong?

« on: September 15, 2022, 04:03:18 am »

Maybe start with a simpler network then...

why even bother to reply?  you sound like one of the ppl telling me dhcp cant go over vlan "who have been in networking for years"

dont be rude clearly i dont understand the rules but i cant figure out why no need to just spam or be rude to ppl just cuz its online.

10

22.7 Legacy Series / Re: fire wall rules wrong?

« on: September 15, 2022, 03:59:08 am »

Ok so you have a lot going on here and a bit too much information

I would stick with a simple structure of: You have 2 physical interfaces, WAN/LAN and a few VLANs.  Their function, we don't really care for the sake of troubleshooting.

One question I saw was that you had a rule with: LAN -> Anywhere that when you changed from LAN-> InsertVLANnamehere,  you lose access to the internet.

This is exactly what should happen as you removed the LAN's ability to leave the firewall.  You essentially stated that the LAN network can only communicate with the other VLAN network and NOTHING else.

You'd have to add another rule below that with a LAN -> Anywhere/Firewall rule to get back out.

If you need video pointers, you can search youtube for both PFsense or OPN sense firewall rules and they would be applicable here.  They operate almost identically (forced default rules are different, but not applicable here).

ya  if i dont,  people say "need more info" so i gave it all i had.

the thing is , lan > any net
any > any > net

but other networks need any / any as well  so both lan and vlan
lan has to stay any >  any
vlan can be
any > any or  (vlan name > any )
should i block all local network connections and then try to allow them by " mom > server "
if i try to block them even if the block is up top.  it does not work still  ;/

11

22.7 Legacy Series / fire wall rules wrong?

« on: September 14, 2022, 01:20:26 pm »

ok, this is a double question tech its about firewall rules but it has vlan so if this is in the wrong area i will wait to get yelled at by the mods.

( a picture setup of the network is here https://ibb.co/c3nNx2P )
https://ibb.co/c3nNx2P

my network has about 11 vlan
only about 6 are being used the rest are place holders currently have NO ip/dchp/ and are turned off but even with OUT them this issue happens )

all networks are dchp on there own .

the set up is as follows   (bxe4) = wan (fiber)
bxe5 = lan (main lan only "out" of the firewall fiber cord

vlan 2,3,4,5, (all are wifi) from a unifi point
vlan 6,7,8,9 all are spot holders for the time
vlan 10 server
vlan 11 sfp switch (test area) not being used but set up
a little art of the network is uploaded here i KNOW some of the ip's may upset ppl i do not care it does not matter what they are .


lan fire wall rule 1 any > any  (this will get internet on the lan and touch all vlans)
OR  rule 1  lan > any ( this will also get internet and vlan on all vlans so no separation)


M's network  (my mothers set up)
  any > any = all networks + internet
moms net > any = all networks + internet 
any other setting = broken everything


HOWEVER if i set up ( server > momsnet  or  momnet > server ) (i forget at this point)   it will allow the server to be touched on its vlan but no other vlans or internet to be used.
this to me does not make much sense sense the internet wont work the same but whatever. what the heck am i donig wrong ?

im following directions i found here > 
cheat sheet
https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/
 
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules


the idea of this is as follows

vlan 2  (isolated guest network internet only with added rules such as no tiktock or porn)
vlan 3 (isolated internet only allows income /outgoing as she needs to have it for GOV job they check her pc randomly spy on it )
vlan 4 main home wifi / lan's  should have internet be isolated but allowed to touch server on ip x.x.x.x/8096 /8042 (jellyfin addresses )
vlan 5 no internet AT ALL but allowed to be touched from main server for recording of sec cams


vlan 10 should be able to be touched from most vlans but only on 1ip/2 ports for jellyfin http/https  (internal + external )

this is the over all goal.

i have NO floating rules at all no allies nothing im new to pf/opnsense i like opnbetter but willing to change if need be im sorta lost as the rules LOOK correct but dont work as intended so now im stuck as to not knowing why

everything else (aside from vlans)  is "stock"  on this firewall currently i have tried 8-11 installs (mostly cuz the update to 22.7.4 breaks it totally currently)

pls give me some help point to a video (if possible include pictures of proper set up as that works better than words for me so i can compare .   


i should also note :::   if at ANY time  lan rule is taken from  any > any OR lan > any  (all internet and vlan stops working everywhere no matter any other rules .


(there is only 1 gate way i think ) standard one. no other special rules only dchp over vlan

i have discord if u pref that to here 

i do not check email much but will check the reply daily for 2 weeks or so. and hope somebody will help.

pictures found here of the lan set up
mom set up
over all rules

https://ibb.co/PY6pZzQ

https://ibb.co/PY6pZzQ      assignments
https://ibb.co/kQMMs0J     lan dchp set up
https://ibb.co/x2TqJy8   lan dchp set up pt2
https://ibb.co/s20kVgh   lan interface set up p1
https://ibb.co/ZhdwkTQ   mom fire wall rule 1
https://ibb.co/R0FB5fs  lan fire wall rule 1http://