Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Question on "This Firewall"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Question on "This Firewall" (Read 1614 times)
AegeanDad
Newbie
Posts: 6
Karma: 0
Question on "This Firewall"
«
on:
March 04, 2022, 08:24:16 pm »
I have a four-port OPNSense box. two WANs and two LANs. LAN1 should access everything, LAN2 should only access LAN2 and both WANs but not LAN1.
LAN2 interface has the following rules:
1. Allow all inbound if destination is NOT "This Firewall" (meant to allow WAN traffic)
2. Allow all inbound if destination is LAN2
Yet, a PC attached to the LAN2 port can ping another PC attached to LAN1. Why is that?
Logged
jp0469
Jr. Member
Posts: 60
Karma: 8
Re: Question on "This Firewall"
«
Reply #1 on:
March 07, 2022, 02:53:43 pm »
"This Firewall" represents all IP addresses assigned to OPNsense. This would typically include localhost and the x.x.x.1 address for each LAN/VLAN. Based on this, LAN2 to LAN1 traffic is being allowed by your rule #1 because LAN1 falls in the scope of NOT "This Firewall". Also, your rule #2 does nothing because traffic within the same subnet does not even pass through the firewall for evaluation.
A better way to achieve your goal is with a single rule. First, create an alias that consists of all the RFC1918 private IP ranges (10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16). Call this "RFC1918" or whatever you like. Next on LAN2, create a rule that allows all access to NOT "RFC1918". This gives LAN2 internet (WAN) access but will not allow traffic to any other LANs.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Question on "This Firewall"