Need help understanding VLAN rules

[jcdick1]

My network has four VLANs, each represented by an interface on my OPNsense host - WAN, LAN, management (MGMT) and IoT - each with their own IP subnet.  The MGMT VLAN is for SNMP traffic, VM movement, accessing iLO/DRAC, etc.

My goal is to restrict anything originating from within MGMT or IoT VLANs from getting out, but to allow only my LAN-based hosts to initiate sessions with devices on the MGMT and IoT VLANs.

I have the default "LAN to anywhere" rules, but that doesn't seem to allow me to get into the management VLAN from my LAN-connected host.  And so I'm sure I'm just confused as to where I would put the rules for accessing the other VLANs from the LAN VLAN.  Would that be on the MGMT and IoT interfaces, or the LAN interface?  I've tried putting in rules for allowing traffic from LAN to MGMT (using both "in" and "out") on the MGMT interface, but I still can't ping or access any hosts.

Or is this a routing issue?  I was under the impression that OPNsense automatically knew routing between its own interfaces.

Might anyone be able to point me to something up to date on managing inter-VLAN traffic?  I've looked at a few blogs and such, but they seem to be for much older versions and the interface and rule management have changed over time.

Thanks!

[errored out]

Do you have any screencaptures of your rules /  network layout?  Trying to figure out what your trying to accomplish but confusing for me.

[Greelan]

The default LAN rule should work to give LAN hosts access to the MGMT VLAN. Are you perhaps blocking private networks on the MGMT interface (check the settings for that interface)?

Otherwise could be a switch issue.

[Vilhonator]

What I would do for diagnostics is following:

First make sure that if your switch has the feature, it allows access to it's Webgui from right VLAN (some manufacturers like Zyxel allow you to restrict management access to specific VLAN.

Also if you run opnsense on custom build PC or virtual machine, make sure it's ethernet ports support IEE 802.1q (also known VLAN tagging). Opnsense vlan relies on VLAN tags and without that support, it doesn't work properly.

Lastly make sure that your switch has at least 1 port set as TRUNK port for each vlan and those ports which are connected to opnsense, are set to Tagged mode. Only ports used to connect clients should be set to untagged mode.

After that I would create "Allow all" rule with exception to WAN and Loopback for each physical and VLAN interface (LAN, OPT1 and OPT2 as well as VLAN interfaces), check that all networks get IP from DHCP (if enabled) and see if ping gets through on each network to all networks (so ping LAN while being connected to Management VLAN etc.)

If they do get IP from DHCP and are able to ping each other, then issue is on firewall rule settings. Skip to rule adjustment.

If they do get IP, but are only able to ping devices connected to same network, then you need to check routes.

Each different network needs route to be able to communicate and it is possible, that your switch is trying to route traffic to itself.

You can create routes on firewall and for that, it is best to use same IP space for all networks (most common is 192.168.0.0/16). If you are using same IP space for all networks, then you only need to add LAN to gateways and add static route:

Route destination is 192.168.0.0/16 and gateway is 192.168.1.1 <--- with that route, you can set vlans with IP ranges like 192.168.10.0/24, 192.168.20.0/24 and so on, pretty much anything between 192.168.0.0 and 192.168.255.0 with subnet mask 255.255.255.0

Save those and test again, if it works all is good and you can setup rules to you own liking.

Rule adjustment:

In opnsense rule order matters (by default you should put block and reject rules ABOVE allow rules) and for most cases, you need to change only ACTION, SOURCE, DESTINATION and DESTINATION PORT sections on the firewall rules, direction should be in on all rules below.

For blocking internet connection on management VLAN, don't create allow all rule for it (by default opnsense like all firewalls block all connections which aren't specified)

For allowing only LAN network to access management, create rule on Management VLAN which allows all traffic (or HTTP, HTTPs and SSH) from LAN net as source and management VLAN NET as destination.

https://www.youtube.com/watch?v=kYFNa_zpeII&t=0s is great guide how to setup firewall rules.

[jcdick1]

First make sure that if your switch has the feature, it allows access to it's Webgui from right VLAN (some manufacturers like Zyxel allow you to restrict management access to specific VLAN.

I have four VLANs configured on my OPNsense router, each with a distinct NIC

10 (LAN, 192.168.0.0/24)
100 (WAN, IP from ISP)
200 (MGMT, 10.10.20.0/24)
300 (IoT, 10.10.10.0/24)

10 is the PCs, tablets, media devices, etc
100 allows the OPNsense VM to move from VM host to VM host while maintaining connection to the world.
200 is iLOs, SNMP and netdata traffic, VM movement
300 is smart home stuff - cameras, etc.

VLAN 200 and 300 have a DHCP server configured with IPv4 reservations, but each host has its corresponding IP configured as static.  VLAN 10 has dynamic DHCP assignments.

My LAN interface has the default "Allow LAN to Any" rules for IPv4 and IPv6.
There are currently no rules on the MGMT interface, because I couldn't get any to work, so I have it back to how it was at initial installation and configuration.

Also if you run opnsense on custom build PC or virtual machine, make sure it's ethernet ports support IEE 802.1q (also known VLAN tagging). Opnsense vlan relies on VLAN tags and without that support, it doesn't work properly.

I was under the impression that VLAN tagging shouldn't be necessary if each VLAN is on a distinct interface, as the switch is configured for the corresponding port to be a member of the VLAN and all traffic on that port is assumed to be for that VLAN.

I was also under the impression that OPNsense is aware of its various VLANs, and configuring specific routing isn't necessary between them.

My goal is to prevent anything coming in from WAN from getting to IoT or MGMT, or anything from IoT and MGMT from getting out to WAN and LAN (initiating a session that direction) but LAN able to get to MGMT and IoT.

[Greelan]

Tbh, this sounds more like a VM issue rather than an OPNsense issue. Unfortunately I run OPNsense on bare metal so can’t help troubleshoot your setup.

Also gotta say that I find it odd that WAN is set up as a VLAN…

[Vilhonator]

I have four VLANs configured on my OPNsense router, each with a distinct NIC

10 (LAN, 192.168.0.0/24)
100 (WAN, IP from ISP)
200 (MGMT, 10.10.20.0/24)
300 (IoT, 10.10.10.0/24)

10 is the PCs, tablets, media devices, etc
100 allows the OPNsense VM to move from VM host to VM host while maintaining connection to the world.
200 is iLOs, SNMP and netdata traffic, VM movement
300 is smart home stuff - cameras, etc.

Based on my knowledge, you need to create static routes.

If the physical interfaces of VLANs 200 and 300 have IPs 10.10.20.1/24 and 10.10.10.1/24 then you need to create static route of 10.0.0.1/8 to either 10.10.10.1 or 10.10.20.1

Basically you need to specify a gateway which both VLANs are using as gateway to point traffic towards different networks

Reason why you won't be able to gain access to VLANs from LAN is because VLANs are both in differnet IP space

[jcdick1]

Also gotta say that I find it odd that WAN is set up as a VLAN…

I'm not sure how else I would set up having four physical ports on the switch involved to provide connectivity between the router and the ISP.  I have three physical hypervisor hosts, each with a NIC in the VLAN, allowing me to migrate the OPNsense VM between them without losing connectivity to the ISP.

[jcdick1]

Based on my knowledge, you need to create static routes.

If the physical interfaces of VLANs 200 and 300 have IPs 10.10.20.1/24 and 10.10.10.1/24 then you need to create static route of 10.0.0.1/8 to either 10.10.10.1 or 10.10.20.1

Basically you need to specify a gateway which both VLANs are using as gateway to point traffic towards different networks

Reason why you won't be able to gain access to VLANs from LAN is because VLANs are both in differnet IP space

Okay, so I was mistaken that OPNsense just inherently "knows" routes between its interfaces, regardless of IP subnets used.  I will look at setting up routes.

Thanks!

[Greelan]

If the VLANs are created in OPNsense it should work no problem. On my bare metal OPNsense I use two NICs and have four VLANs plus LAN, and have never had to manually specify routes. Maybe a config issue with the VM in your case?

[jcdick1]

If the VLANs are created in OPNsense it should work no problem. On my bare metal OPNsense I use two NICs and have four VLANs plus LAN, and have never had to manually specify routes. Maybe a config issue with the VM in your case?

That's what I was thinking.  I was under the impression that regardless of IP space used, if I put a known IP into a browser or SSH client or whatever on a device connected on VLAN 1, it would know "Oh, I have that IP space on Interface 2!  I'll send that over there" and I get a connection.

I went through, and I realized I didn't have VLAN interfaces configured under "Interfaces->Other->VLAN" but I didn't think tagging was necessary if the interfaces are physically distinct, and the switch ports are configured for all traffic on each of the ports to be for the appropriate VLAN.