Show Posts
1
General Discussion / Policy Hierarchy in OPNsense?
« on: March 19, 2024, 08:18:14 pm »
Hi - OPNsense newcomer here.
For the last seven years, I have deployed an Untangle/Arista NGFW at Home instance, which is installed on a recycled Dell Optiplex. It's been an excellent product, but unfortunately Arista (which bought Untangle) is discontinuing the product. I'm zeroing in on OPNsense (+Zenarmor) as a replacement.
While all the docs and community tutorials have been enormously helpful, I do have a lingering question. On the Arista NGFW, it's possible to create a policy hierarchy, and assign devices (with matching criteria) to any policy in that hierarchy. So, you can do something like this:
[Parent] Home Policy <--- Basic Web Filtering, Local SSH, etc.
[Child] Limited Access Policy <--- Whitelist-Based Web Filtering, More Restrictive Firewall Rules, etc.
[Child] Media Devices <--- Basic Web Filtering, Whitelist Selected Ad Domain Matches, etc.
These polices are then assigned to (statically addressed) devices based on their address, MAC, user association - whatever. Arista's NGFW also has a very flexible tagging function (add any labels to any devices for any duration), which made policy application super easy (e.g. apply "limited access" policy to any devices tagged "restricted").
This capability is perhaps the most essential in my setup; namely, I need to be able to assign different rules to different devices.
Is this achievable with OPNsense + Zenarmor, and if so, could anyone point me in the general direction?
Thanks for any information you may be able to provide!
For the last seven years, I have deployed an Untangle/Arista NGFW at Home instance, which is installed on a recycled Dell Optiplex. It's been an excellent product, but unfortunately Arista (which bought Untangle) is discontinuing the product. I'm zeroing in on OPNsense (+Zenarmor) as a replacement.
While all the docs and community tutorials have been enormously helpful, I do have a lingering question. On the Arista NGFW, it's possible to create a policy hierarchy, and assign devices (with matching criteria) to any policy in that hierarchy. So, you can do something like this:
[Parent] Home Policy <--- Basic Web Filtering, Local SSH, etc.
[Child] Limited Access Policy <--- Whitelist-Based Web Filtering, More Restrictive Firewall Rules, etc.
[Child] Media Devices <--- Basic Web Filtering, Whitelist Selected Ad Domain Matches, etc.
These polices are then assigned to (statically addressed) devices based on their address, MAC, user association - whatever. Arista's NGFW also has a very flexible tagging function (add any labels to any devices for any duration), which made policy application super easy (e.g. apply "limited access" policy to any devices tagged "restricted").
This capability is perhaps the most essential in my setup; namely, I need to be able to assign different rules to different devices.
Is this achievable with OPNsense + Zenarmor, and if so, could anyone point me in the general direction?
Thanks for any information you may be able to provide!