Messages

[Redacted]

passeri,

I stated my situation clearly, completely, and concisely several times. i never even hinted at hidden parts. I won't repeat it since it wouldn't make a difference. Once you provided the private network bits, the clarity appeared and I could confidently ignore some of the horrid advice the internet offered in favor of people who knew something. Until then, everyone's advice carried equal  weight, meaning none were worth listening to. Now I think I know enough to make my own rules for this.

Why is it even still unclear and confusing to everyone here? And everyone today has attitude or is a victim when stood up to or not recognized  as The Boss.

Your good guy status came simply from trying to be helpful and courteous while being on point concisely. It seems to be uncommon today.

I was also in consulting long ago, not networking. I was good at it. Many of my peers bluffed their way through by providing answers to questions they knew the answers to, not the question that was asked. These people remind me of them. Everyone should have a hobby, though I don't see what you see in them.

I can't imagine ever asking for advice here again.

To be fair i assumed you generally asked how to separate vans while keeping internet as that's what it sounded like. If that's not the question then I apologize. As I can only give basic connection steps at the moment that worked for me.

But if its the issue it just about separating the subnet and putting a block rule for those vlan subnets in the homenetwork interface rule before your allow rule to the internet.

Please attach the images here in the forum. I'm not clicking on links to a site I never heard of, sorry.

i have my own modem, no router built in and when port forward in use its connected to a properly isolated with dual trunk set up, cause the switch is weird when it comes to using the same trunk port for separate vlans interfaces in that switch.  my only concern is how does adding a block rule open up ports typically, from my understanding its allow rules.

Please attach the images here in the forum. I'm not clicking on links to a site I never heard of, sorry.

here is what im working with nothing complex

I understand and appreciate but sometime abrasiveness isn't what's needed. For basic stuff I'll try to help out if I can learn this site.

[it depends]

Assuming your existing imterface is "LAN" and the new one is "IOT", create

- the IOT imterface with an IP subnet different from that on LAN
- the DHCP configuration for that subnet - copy from LAN and adjust the address range
- create a single rule on IOT:

-- source: IOT net
-- destination: LAN net
-- destination invert: check
-- action: allow

That's all. But ...

That only works for a single pair of interfaces. As soon as you have three or more that you want to isolate from each other, that's where the "RFC1918" alias concept comes into play.

Which requires separate additional allow rules for DNS and possibly NTP etc. to the local firewall interface.

But ...

Not all situations have RFC 1918 ("private") networks for internal interfaces. Most of my firewalls actually don't. So you need another different approach - again. I use aliases named "local somethingsomething", one for IPv4 and one for IPv6. Yes, IPv6 exists and people use it in production.


That is why it depends and there is no simple one size fits all answer.

To be fair to coffee the guy went into an I can't stand these type of people statement.

I'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate.Make sure you set the clan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule a generic block rule in case

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or lan subnet destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

As you are asking a basic question I assume ur set ups not as complex yet.

I tried I honestly am trying. My attachment say too big. I'll report in after an hour after I figure out how to use this forum. I'm new to writing in forums.

I'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate. Make sure you set the vlan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here. save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up in interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule ,a generic block rule,  encase

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan, to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases as well to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or vlan subnet, destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

Plus a products success and popularity also comes from word of mouth. those randoms "new people" can help push a product forward. Last thing a product wants is decent product bad community. It promotes less engagement.

To be honest yes. People shouldn't expect just professionals to use this product, as many people are trying to deeply secure there internet. The term "elitist" mind set gets tossed around online. To be honest this is a online foremn. Where a lot of people ask questions. No one is a genius. People do dumb things. Encourage learning don't discredit. As a math tutor i learned explain to them as if they know nothing and building from the ground up helps.

Says files too big here's the URL of the images. I just googled image to URL converter
https://cdn.corenexis.com/media?608n34&24H&p&b&zyig.jpg
https://cdn.corenexis.com/media?934wlk&24H&p&b&00s9.jpg
Https://cdn.corenexis.com/media?23myga&24H&p&b&tb1p.jpg
https://cdn.corenexis.com/media?0b4rwk&168H&p&b&zieq.jpg

Granted for security I cant give the full details of who's blocked but it should help.

Says files too big here's the URL of the images. I just googled image to URL converter
https://cdn.corenexis.com/media?608n34&24H&p&b&zyig.jpg
https://cdn.corenexis.com/media?934wlk&24H&p&b&00s9.jpg
Https://cdn.corenexis.com/media?23myga&24H&p&b&tb1p.jpg
https://cdn.corenexis.com/media?0b4rwk&168H&p&b&zieq.jpg

Show. The. Rules. Literally. Screenshots.

Please.

You don't need any rule on WAN for example. OPNsense blocks by default.

So this:

My wan interface is just a genric block inbound trafic rule directed toward wan.

Might be not quite what you intend it to do but instead opens up things.

A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.

I would recommend starting with this setup and then working from there, step by step.

Kind regards,
Patrick

Thank you for your time I will post it shortly as I'm only able to access online with my phone at the moment do to "complications"

I apologies as the system that is connecting to opnsense is a glorified moniter so its set up with no internet access because its old. So this is the best I can do the port imposter is 443 and 80. Because some but try to port in using upd port 443 and 80... But they are TCP ports

Show. The. Rules. Literally. Screenshots.

Please.

You don't need any rule on WAN for example. OPNsense blocks by default.

So this:

My wan interface is just a genric block inbound trafic rule directed toward wan.

Might be not quite what you intend it to do but instead opens up things.

A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.

I would recommend starting with this setup and then working from there, step by step.

Kind regards,
Patrick

Thank you for your time I will post it shortly as I'm only able to access online with my phone at the moment do to "complications"

Show. The. Rules. Literally. Screenshots.

Please.

You don't need any rule on WAN for example. OPNsense blocks by default.

So this:

My wan interface is just a genric block inbound trafic rule directed toward wan.

Might be not quite what you intend it to do but instead opens up things.

A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.

I would recommend starting with this setup and then working from there, step by step.

Kind regards,
Patrick

so your saying that putting block rules opens the firewall that's weird. I put a redundant all block in a few min.