block all traffic between VLANs

[ZZzzzzz]

Hi!

I have a gateway/server with fresh OPNsense install (Jazzy Jaguar)

There are 3 NIC: 1 for WAN, 2 for LAN aggregated with LAGG(LACP).

On the LAGG there are 5 VLAN (eg 10.1.x.x/16, 10.2.x.x/16, ...)

So far so good, everything works perfectly.

I'd like to ask which is the simpliest way to block traffic between VLANs.

for example: from VLAN1 user could ping the GW and the public IPs ("The Internet") but not the other VLAN's IP.

I could block other VLAN "net" address one-by-one per interface but I think there should be a more clever solution

The next question is: block all traffic except for one specific IP in VLAN 5 which is an internal web server between VLANs (eg 10.1.0.1 -> http://10.5.0.1,  10.2.3.4 -> http://10.5.0.1)


Thanks in advance

[ZZzzzzz]

I've did aliases like "intranet_except_VLAN1, intranet_except_VLAN2" so on ... (every alias contains all vlan network address except the one in their names)

created a blocking rule on every VLAN interface put the related alias as destination with any source any port any protocoll

its working and only one rule per VLAN interface, but there should be a more clever way...

by the way why is opnsense allowed traffic between VLANs by default?

[ruggerio]

as they are separate "NICs" i would say no. Its depending on the rules you set. Normally, the ruleset of the vlans is empty, means all blocked (default).

Most of do a target any/any rule per vlan.

[hbc]

Traffic between vlan interfaces should not be allowed in opnsense by default. Usually you have a default 'deny all' rule.

The problem are the 'dst: any' rules for internet access. As soon as you create a rule like this, you enable access to these ports to other vlans. That is really a problem that can create holes in your ruleset.

It would be nice if you could add interfaces to rules. Allow any:80,443 to interface wan.