Messages

1

General Discussion / Re: Default rule to allow traffic in own subnet

« on: October 08, 2024, 09:50:33 am »

In the end I got it working just using floating rules (https://ibb.co/5W4LFQk). I've also looked into groups, as suggested here, but ended up not using it. It is possible to create rules with <GROUP> net but not possible to specify <GROUP> address, which is possible with regular interfaces. I'm aware that this is perhaps not the best practice, but I really like having all my rules in one place. Perhaps if the number of rules becomes to large that I will relocate them to their respective interface.

If there is a way to condense the whole allow traffic within subnets block I'm still very interested to hear how it can be done!

Thanks for the help!

2

General Discussion / Re: Default rule to allow traffic in own subnet

« on: October 06, 2024, 08:46:57 pm »

Could you elaborate on why not to use floating rules? Why the distinction between floating rules and interface rules (which are then okay to use without knowing what you are doing?

For manageability floating rules seem to require less entries since it allows the use of aliases. For instance, I've got multiple interfaces/vlans from which I want to access the management portal. I could create an alias for this which includes all these interfaces/vlans and a single floating rule or I could create the same identical rule for each member of this alias in the interface section. For me, managing a single rule and a grouped access list has my preference.

But, as you suggest, I'm fairly new to this topic and I'm open to suggestions on how to handle a situation such as described above

3

General Discussion / Re: Default rule to allow traffic in own subnet

« on: October 06, 2024, 07:52:30 pm »

Hmm, I was under the impression that this was the case. Can you explain why the block rule in the attached screenshot (https://ibb.co/zRCx8Nt) prevents internet access on the IOT network? If I disable this rule I am able to reach the internet on the IOT network (which is part of the trusted_for_internet alias). This does seem to suggest that this traffic is passed through the firewall.

As floating rules are matched before interface rules the final rule (which is on the interface level) is not matched, hence the question for a more generic floating rule to solve this problem.

4

General Discussion / Default rule to allow traffic in own subnet

« on: October 06, 2024, 05:53:31 pm »

Hi all, I'm setting up my OPNsense router for home use and are moving towards a segmented network. Currently I'm writing the firewall rules which span multiple interfaces. I've got some basic aliases (which are vlans/interfaces) for which I specify the rules. Now I want to block by default if none of the rules match. To prevent subnets from losing internet access I should whitelist traffic within their respective subnets (or at least the gateway address). I'm aware that this is possible by creating a rule for each interface (such as this -> https://ibb.co/MRh22bP). However, I was wondering if there is the option to specify this once as a floating rule instead of creating an ALLOW XX NET -> NET XX ADDRESS rule for each interface.