Messages

Good afternoon,
Considering purchasing a Protectli VP2420 for my network. As far as I understand this uses the Intel J6420 CPU. I was wondering if anyone have any experience using this, or a similar device, with this CPU for Opnsense and Zenarmor NG Firewall. The current network is not large, I would estimate to 25-30 devices.
Storage will not be an issue and I plan for 16GB of ram.

/Mming.

I'm setting up a new OpnSense FW for my homelan, but have issues with Upnp to work properly.

Upnp is currently been set up to service my Xbox on a dedicated vlan, vlan2. This vlan is assigned on a network interface without any additional IP adresses. The interface is NOT asssigned to lan either. vlan2 is assigned to a 3.rd interface.

Installed upnp, tagged Enable, "allow UPnP IGD Portmapping". Extgernal interface is WAN and interfaces is assigned vlan2.
Tried both "default deny" as on and currently off. For "user specified permissions" I added the following for the test then I enabled "default deny": allow 1024-65535 192.168.2.28 1024-65535

When I check NAT from my Xbox I get "strict nat" and "upnp not successfull".
When I check status on UPnP service in Opnsense I get n entries, it just blank.

I get the sense that I'm missing something here, because this is, as far as I understand, something that now should just work.

Any feeback highly appreciated.

/Mming

Hi, and thanks for the confirmation and suggestion about the RFC 1918 groups. Tried that and it worked really well.

Do you recommand to have the general rule as a floating rule, or defined in the "grouping" for each interface. It was my understanding that floating rules would be checked first and if any traffic matches that further processing would stop. But what I see is that if I have the default allow rule for http(s) for !rfc_1918 inter vlan traffic would be stopped, as intended since this is a match. But If I add and additinal rule for vlan1 with ANY as the destination I will be able to access both external sites AND the internal http(s) sites.
Shouldn't the floating rule take presedens and stopp traffic intended for the internal vlans even though I have an allow any/any directly on the vlan?

What am I missing here?

/Mming

So, fairly new to Opnsense, but I think I've figures out the most. But have some questions regarding default FW rules and limiting access to vlans.
The goal is to deny all intervlan traffic, as it currenty is by default. And initially open up for each vlan in a controlled manned. By default I want to allow web browsing only to the internet, not intra-vlan.

I tried to apply the default allow rule for lan,
which is

Interface: lan
Direction:in
tcp: IPv4
Protocol: tcp
source: lan
destination:any
destination port: web_browsing (changed this from any to m y defined alias group).

So far this makes perfect sence, but the problem is related to destination. Since there is no defined "endpoint" for the internet as a whole, only the "any" destination. So by using this http traffic is allowed to each vlan as well. This is not something that should be widely allowed.

So my question is (or feedback) for what I plan to do, for this seems to solve my challenge:

I create an alias group containing all my vlans (vlan1, vlan2, vlan3,vlan4, vlan5), this is called local_networks. I've alse created an alias for http and https called web_browsing. All my vlans are assigned to the lan interface and the lan interface has no IPs assigned, it only servers the vlans I've defined.
Then I create a new default rule which will be the last "allow" rule to evaluate before my default drop rule. The rule would look like this (If I would put it on my vlan1):

Interface:vlan1
Direction:in
tcp: IPv4
Source: vlan1 net

Destination/invert: yes
Destination: local_networks
destination port range: web_browsing

As far as I understnad this will achieve my goal to still limit traffic between the vlans, all webtraffic is only allowed for the internet, and it will not be possible to browse websites on the internal lans, if I need that I should create dedicated rules, explicitly allowing access to web traffic on the vlans, and place those rules above this default rule.

Any feedback would be grately appreciated, either confirmation that this makes sense or if there are better ways to achieve my endgoal.

/Mming