Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
block all traffic between VLANs
« previous
next »
Print
Pages: [
1
]
Author
Topic: block all traffic between VLANs (Read 7890 times)
ZZzzzzz
Newbie
Posts: 6
Karma: 1
block all traffic between VLANs
«
on:
August 18, 2019, 06:55:37 pm »
Hi!
I have a gateway/server with fresh OPNsense install (Jazzy Jaguar)
There are 3 NIC: 1 for WAN, 2 for LAN aggregated with LAGG(LACP).
On the LAGG there are 5 VLAN (eg 10.1.x.x/16, 10.2.x.x/16, ...)
So far so good, everything works perfectly.
I'd like to ask which is the simpliest way to block traffic between VLANs.
for example: from VLAN1 user could ping the GW and the public IPs ("The Internet") but not the other VLAN's IP.
I could block other VLAN "net" address one-by-one per interface but I think there should be a more clever solution
The next question is: block all traffic except for one specific IP in VLAN 5 which is an internal web server between VLANs (eg 10.1.0.1 ->
http://10
.5.0.1, 10.2.3.4 ->
http://10
.5.0.1)
Thanks in advance
«
Last Edit: August 18, 2019, 07:56:23 pm by ZZzzzzz
»
Logged
ZZzzzzz
Newbie
Posts: 6
Karma: 1
Re: block all traffic between VLANs
«
Reply #1 on:
August 20, 2019, 11:24:55 am »
I've did aliases like "intranet_except_VLAN1, intranet_except_VLAN2" so on ... (every alias contains all vlan network address except the one in their names)
created a blocking rule on every VLAN interface put the related alias as destination with any source any port any protocoll
its working and only one rule per VLAN interface, but there should be a more clever way...
by the way why is opnsense allowed traffic between VLANs by default?
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: block all traffic between VLANs
«
Reply #2 on:
August 20, 2019, 11:50:58 am »
as they are separate "NICs" i would say no. Its depending on the rules you set. Normally, the ruleset of the vlans is empty, means all blocked (default).
Most of do a target any/any rule per vlan.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: block all traffic between VLANs
«
Reply #3 on:
August 20, 2019, 11:55:43 am »
Traffic between vlan interfaces should not be allowed in opnsense by default. Usually you have a default 'deny all' rule.
The problem are the 'dst: any' rules for internet access. As soon as you create a rule like this, you enable access to these ports to other vlans. That is really a problem that can create holes in your ruleset.
It would be nice if you could add interfaces to rules. Allow any:80,443 to interface wan.
«
Last Edit: August 20, 2019, 11:57:48 am by hbc
»
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
block all traffic between VLANs