46
General Discussion / Re: Block OPT1 from LAN
« on: December 11, 2015, 05:55:24 pm »
Trav1sty,
OPNsense is a packet filter. This means that if you want to block something, you need to do this on the interface where the packet enters the device.
To prevent any communication between LAN and OPT1, you could try the following:
On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is LAN net
On the LAN interface add a firewall rule as follows:
Action is Block
Interface is LAN
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is LAN net
Destination is OPT1 net
To prevent access to the web gui from the OPT1, you could try the following:
On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is OPT1 address
I think this will still allow internet access from the OPT1 network because packets with an end destination in the internet (and not the OPT1 address itself) will not get blocked.
Does this work for you?
Note that if you use your OPNsense device for DHCP on the OPT1 network, you may only want to block ports 80 and 443 in the last rule.
Kind regards,
BertM
OPNsense is a packet filter. This means that if you want to block something, you need to do this on the interface where the packet enters the device.
To prevent any communication between LAN and OPT1, you could try the following:
On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is LAN net
On the LAN interface add a firewall rule as follows:
Action is Block
Interface is LAN
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is LAN net
Destination is OPT1 net
To prevent access to the web gui from the OPT1, you could try the following:
On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is OPT1 address
I think this will still allow internet access from the OPT1 network because packets with an end destination in the internet (and not the OPT1 address itself) will not get blocked.
Does this work for you?
Note that if you use your OPNsense device for DHCP on the OPT1 network, you may only want to block ports 80 and 443 in the last rule.
Kind regards,
BertM