VLANs and Firewalling

Started by olivernz, September 17, 2019, 11:41:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 17, 2019, 11:41:19 AM
Hi all,

Sorry for asking but I just can't seem to get this sorted. I have about 5 VLANs on my network. All working fine except I can't get the FW rules working as I want them to. So HELP!! Before I go nuts. Here's the rule examples I'd need:

1) block traffic between VLANs
2) allow VLAN to a specific server
3) block VLAN to internet

Help!

Thanks heaps
Oliver

Sent from my ONEPLUS A6013 using Tapatalk

September 17, 2019, 03:40:50 PM #1
Hi Oliver,

if you have private networks on the vlans you could create an Alias for all RFC1918 networks and create a block rule on each interface.

Before or over that block rule you should add rules that are allowed to talk between that vlans or directly with the firewall interface (NTP and DNS for example)

After or bellow that block rule you can add rules like:
Allow: LAN 1 -> ANY : ANY


By that all traffic to your firewall or between VLANS is processed by your allow rules.
All other Traffic between your VLANs is blocked by the Block rule but only from RFC1918 networks.

Hope that helps.
For a detailed guide you can use the guest network howto as reference: https://docs.opnsense.org/manual/how-tos/guestnet.html

Regards,

Dominik
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
September 17, 2019, 10:01:26 PM #2
Thanks. Will give it a shot.
September 23, 2019, 10:26:53 AM #3
Hi,

So tried everything again and nothing works on any logic I can fathom. You can see my rules below. All Floating rules are automatic.
I so F'n HATE firewalls. I swear if I get this going I'll write a blog post for the lost.

Most of the time any traffic from VLAN90 hits anything it goes to the default deny rule. But oddly traffic and pings work but they don't show up in the Live log! I don't get it.

Cheers
oliver
September 23, 2019, 01:35:36 PM #4
Have you set the allow rules to logging?

Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
September 23, 2019, 01:55:57 PM #5
If you think the rules are correct, try resetting the states, under Diagnostics.
September 23, 2019, 03:05:58 PM #6
Or use the inspect functionality to see if the rules are processed.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
September 25, 2019, 08:57:50 AM #7
Yeah I have reset rules under Diagnostics. Did nothing. I generally check what works in the Live view. I'll try the inspect.
September 26, 2019, 01:58:03 AM #8 Last Edit: September 26, 2019, 02:03:47 AM by Sirius1
Traffic blocking between VLANs will work.

Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.

Re: The VLAN blocking from your last rule, I'm really not sure how that Destination you have defined would work out. The most direct way to do this is what an earlier poster noted: Create an alias for all RFC1918 networks, then create an explicit Deny rule: Use your last rule as a guide and use 'VLAN90 net' as the Source, and change the Destination to the RFC1918 alias.

That should block traffic from VLAN90 to other VLANs.
September 26, 2019, 11:33:13 AM #9
Quote from: Sirius1 on September 26, 2019, 01:58:03 AM
Generally, but maybe I'm more old-school, I always feel it's better to explicitly set your 'Source' as you did with the DNS Server rule. This eliminates any question of how your * wildcard might be interpreted.

Don't think that is old-school, it is good style. I tend to specify all rules as explicit as possible. This helps with debugging.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
Print
Go Up Pages1
User actions