"
Hello OPNsense Community,
I am new here and only learning the basics so far, I am seeking help with configuring my OPNsense firewall to block access from a specific VLAN (IoT devices) to my main network and gateway. Below is a detailed description of my setup and the steps I've taken so far.
Network Setup:
- Main Router (Default Gateway)
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.ateway): 192.168.0.1
- Firewall (OPNsense): 192.168.1.1
- VLANs:
- VLAN10 (Roaming): 10.0.10.0/24
- VLAN20 (Services): 10.0.20.0/24
- VLAN30 (IoT): 10.0.30.0/24
- Devices:
- IoT devices are connected to VLAN30 via a wireless access point.
Goals:
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.
Steps Taken:
1. VLAN Configuration:
- VLANs are configured on a managed switch with the following setup:
- Ports 2-3: VLAN10 (Untagged)
- Ports 4-5: VLAN20 (Untagged)
- Ports 6-7: VLAN30 (Untagged)
- Port 1: Trunk (Tagged for VLAN10, VLAN20, VLAN30)
2. Firewall Rules:
- VLAN30 Interface:
- Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.0/24`.
- Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.1`.
- Allow rule for `Source: 10.0.30.0/24` to `Destination: any` (for internet access).
- LAN Interface:
- Added corresponding block rules for traffic originating from VLAN30.
3. NAT Configuration:
- Using automatic outbound NAT rule generation.
4. State Table Reset:
- Reset the state table after applying firewall rules.
Observations:
- Despite the block rules, IoT devices on VLAN30 can still ping and access the main network (192.168.0.0/24) and the default gateway (192.168.0.1).
Why Not Using Bridge Mode:
- I chose not to convert the ISP router to bridge mode to avoid disruptions with internet connectivity. Since I share the internet with my flatmate, maintaining stability and minimizing downtime was a priority. Changing the ISP router to bridge mode could have caused interruptions, and therefore, I opted to configure the network with the existing set
Firewall Rules Screenshots:
Attached the firewall rules to this post
Logs:
- Enabled logging for block rules.
- Observed logs showing that packets from 10.0.30.4 to 192.168.0.x are being blocked, yet pings are still successful.
Questions:
1. Is there a specific order in which the rules should be placed*
2. Could there be any missing configurations in VLAN settings or NAT rules that I'm missing?
3. Should I configure additional settings on my wireless access point to support VLAN segregation?
I appreciate any insights or suggestions from the community to help resolve this issue. Thank you in advance for your assistance!
I am new here and only learning the basics so far, I am seeking help with configuring my OPNsense firewall to block access from a specific VLAN (IoT devices) to my main network and gateway. Below is a detailed description of my setup and the steps I've taken so far.
Network Setup:
- Main Router (Default Gateway)
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.ateway): 192.168.0.1
- Firewall (OPNsense): 192.168.1.1
- VLANs:
- VLAN10 (Roaming): 10.0.10.0/24
- VLAN20 (Services): 10.0.20.0/24
- VLAN30 (IoT): 10.0.30.0/24
- Devices:
- IoT devices are connected to VLAN30 via a wireless access point.
Goals:
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.
Steps Taken:
1. VLAN Configuration:
- VLANs are configured on a managed switch with the following setup:
- Ports 2-3: VLAN10 (Untagged)
- Ports 4-5: VLAN20 (Untagged)
- Ports 6-7: VLAN30 (Untagged)
- Port 1: Trunk (Tagged for VLAN10, VLAN20, VLAN30)
2. Firewall Rules:
- VLAN30 Interface:
- Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.0/24`.
- Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.1`.
- Allow rule for `Source: 10.0.30.0/24` to `Destination: any` (for internet access).
- LAN Interface:
- Added corresponding block rules for traffic originating from VLAN30.
3. NAT Configuration:
- Using automatic outbound NAT rule generation.
4. State Table Reset:
- Reset the state table after applying firewall rules.
Observations:
- Despite the block rules, IoT devices on VLAN30 can still ping and access the main network (192.168.0.0/24) and the default gateway (192.168.0.1).
Why Not Using Bridge Mode:
- I chose not to convert the ISP router to bridge mode to avoid disruptions with internet connectivity. Since I share the internet with my flatmate, maintaining stability and minimizing downtime was a priority. Changing the ISP router to bridge mode could have caused interruptions, and therefore, I opted to configure the network with the existing set
Firewall Rules Screenshots:
Attached the firewall rules to this post
Logs:
- Enabled logging for block rules.
- Observed logs showing that packets from 10.0.30.4 to 192.168.0.x are being blocked, yet pings are still successful.
Questions:
1. Is there a specific order in which the rules should be placed*
2. Could there be any missing configurations in VLAN settings or NAT rules that I'm missing?
3. Should I configure additional settings on my wireless access point to support VLAN segregation?
I appreciate any insights or suggestions from the community to help resolve this issue. Thank you in advance for your assistance!
