Simple Block Rule Not Working

[closedsense]

I have a simple opnsense setup with all default/automatic rules. The only change is that I have setup a load balance and failover gateway. I have changed the Default allow LAN to any rule to use this gateway.

At the very top of LAN interface, I have made a block rule for testing. I want to block everyone on the lan from accessing a specific IP and port.

I have set the following:

Action : Block
Quick: ticked
Interface: LAN
Direction: in
TCP/IP: IPv4
Protocol: TCP
Source: any
Destination: Internal IP/32
Destination port range from/to: (other) PORT
Gateway: default

I have put this rule at the very top. I have reset the states also. But I can still access the IP:Port from the browser from any device connected to LAN.

Any help would be appreciated.

[Monviech (Cedrik)]

Every device in the same layer2 network (Switching) (in this case your LAN), can resolve the IP addresses of all other devices in the same network via ARP and MAC address resolution, and then communicate directly.

The OPNsense acts on layer3 (Routing), which means, as long as traffic is not routed through it to traverse to a different network, it can not see or block that traffic.

[pankaj]

OPNSense cannot block devices on the same subnet from communicating with each other. So even if you set a rule that 192.168.1.1 cannot access 192.168.1.2, the rule is useless because the traffic will never make it to OPNSense and the packets from 192.168.1.1 would automatically be forwarded to 192.168.1.2.

This also brings up a good point that if you have all untagged ports on your network then technically you can create a rule that 192.168.1.1 cannot access 192.168.2.1. But this rule can be easily circumvented if the machine (192.168.1.1) manually assigns itself 192.168.2.2 address and then it will be able to access 192.168.2.1.

If you are trying to create logical separation of sub-nets such as LAN, IoTs, Guest WiFi etc then you need to look into VLANs.