Messages

1

General Discussion / How to create Airgapped VLAN (and other firewall subtilities)

« on: March 10, 2024, 12:29:31 pm »

Hello

I just got a DEC750 and what a wonderful machine. However, when I search the internet on how to configure the firewall, I see many posts for many different versions of Opnsense with many different ways of doing the same thing. I want to therefore ask here what is the canonical way of achieving the following, in 2024 (Opnsense 24.10+ with business license):

Given a generic interface setup (WAN, LAN1, LAN2, LAN3)

1. What is the correct way of configuring an airgapped VLAN (lets call it VLAN1) ?
Airgapped means:
- No devices in VLAN1 can access the outside world (WAN).
- Devices on a subset of other interfaces (LAN1,LAN2,..) can access the VLAN1.
- Devices in VLAN1 can talk to each other and get IPv4/6 DHCP assignments from router.

2. What is the correct way of configuring an "isolated" VLAN (lets call it VLAN2) ?
Isolated means :
- Devices in VLAN2 can access the outside world (WAN)
- Devices on VLAN2 cannot access any other interface
- No other devices on another interface can access VLAN2, save for a specific subset (Either a VLAN3 or Specific MAC addresses, both ok)
- Devices in VLAN2 can talk to each other and get IPv4/6 DHCP assignments from router.

Let's assume I start from the default configuration on a DEC750 with Opnsense 24.10+ (some rules such as "let out anything from firewall host itself" already present and cannot be deleted (?) on all interfaces). What is the correct procedure to achieve 1. and 2. ?

Thanks
B.

2

Tutorials and FAQs / Re: DEC750: nodes on ports cannot communicate with one-another

« on: March 07, 2024, 09:01:39 pm »

Hello Patrick,

Actually after digging a bit I fixed it.

The issue was not the netmask (although they did not match the connectivity should still be possible). The issue was a faulty ip table configuration on the server. I purged the ip tables and I managed to reach the host. Then I could update the IP config of both the IPMI (ipmitool) and the local NIC

ALL GOOD! Thanks

Great product BTW

3

Tutorials and FAQs / DEC750: nodes on ports cannot communicate with one-another

« on: March 06, 2024, 08:27:53 pm »

Hello

I just got my DEC750 and here is the configuration:

Interfaces:
- ax0 : 10GbLan 192.168.1.1/24
- ax1: WAN
- igc0: LAN 192.168.100.1/24

Firewall:
- Auto generated rules for WAN & LAN with wizard then copy pasted the LAN ones to 10GbLan and edited the corresponding fields: e.g.:
- LAN: https://imgur.com/a/9u0P21s
- 10GbLan: https://imgur.com/a/slvMGq0
Misc:
- DHCP enabled in LAN
- DHCP disabled in 10GbLan

The problem is the following:
- I have a server that is configured with static IP 192.168.1.19/16  and BMC on static 192.168.4.1/16. (from a previous config). I can access neither of these IPs. For the 192.168.4.1 it makes sense because well its a different subnet. But for 192.168.1.19 I can see the host in the ARP table, I can ping it from the DEC750, but I cannot ping it from LAN : request timeout.

If I go to Firewall -> Logs -> Live logs, I can see the ICMP requests being accepted for the 10GbeLan interface. If I ping the corresponding port (192.168.1.1) from LAN (192.168.100.13) I get answers. if I traceroute, I can see the packets reach the 192.168.100.1 then its timeout.

if I unplug my client and plug in on the switch that is connected to ax0 (10GbLan 192.168.1.1/24) then assign myself an IP in the subnet then I can ping 192.168.1.19 no problem.

as I said there is nothing blocked in the firewall for 10GbLan as far as I can see in the logs.

Any help appreciated
thanks.