1
General Discussion / Unruly rules with vlans
« on: January 22, 2024, 06:13:32 pm »
Hi All,
I recently discovered that my vlans were not properly isolated. most my stuff is on a non vlan Lan interface. I am running OPNsense 23.7.12-amd64. I also have adguard home setup. I also have Private internet access VPN and tailscale VPN installed. (not sure if any of those play into my problems)
My setup.
What I am seeing is that my rules are not processing the traffic properly. I have one rule second last rule to block all traffic between the private ranges. then I have another rule before that that allows one IP address 192.168.30.21 (IOT) to 192.168.2.6 (LAN). This is what I am seeing under the firewall live view. Why is one blocked but others allowed? all should be processed by the allow. but obviously, some are still making it to the block rule.
this view is filtered for source iot and destination 192.168.2.6
Rules:
Allow access to HA IOT:
-- Pass
-- quick yes
-- interface IoT
-- direction in
-- TCP ipv4
-- protocol any
-- source IoT_to_HA_src (alias to 192.168.30.21)
-- destination Iot_to_HA_dest (alias to 192.168.2.6)
block access to private ranges:
-- Reject
-- quick yes
-- interface iot
-- direction in
-- TCP vipv4
-- protocol all
-- source iot net
-- dest alias to private ranges
Alias:
private ranges: 192.168.0.0/16
IoT_to_HA_src: 192.168.30.21
Iot_to_HA_dest: 192.168.2.6
I recently discovered that my vlans were not properly isolated. most my stuff is on a non vlan Lan interface. I am running OPNsense 23.7.12-amd64. I also have adguard home setup. I also have Private internet access VPN and tailscale VPN installed. (not sure if any of those play into my problems)
My setup.
Code: [Select]
vlan01 [Home] igc1 [LAN] 10
vlan02 [Work] igc1 [LAN] 20
vlan03 [IoT] igc1 [LAN] 30
vlan04 [Guest] igc1 [LAN] 40
What I am seeing is that my rules are not processing the traffic properly. I have one rule second last rule to block all traffic between the private ranges. then I have another rule before that that allows one IP address 192.168.30.21 (IOT) to 192.168.2.6 (LAN). This is what I am seeing under the firewall live view. Why is one blocked but others allowed? all should be processed by the allow. but obviously, some are still making it to the block rule.
this view is filtered for source iot and destination 192.168.2.6
Rules:
Allow access to HA IOT:
-- Pass
-- quick yes
-- interface IoT
-- direction in
-- TCP ipv4
-- protocol any
-- source IoT_to_HA_src (alias to 192.168.30.21)
-- destination Iot_to_HA_dest (alias to 192.168.2.6)
block access to private ranges:
-- Reject
-- quick yes
-- interface iot
-- direction in
-- TCP vipv4
-- protocol all
-- source iot net
-- dest alias to private ranges
Alias:
private ranges: 192.168.0.0/16
IoT_to_HA_src: 192.168.30.21
Iot_to_HA_dest: 192.168.2.6