General rule of thumb when creating rules

[morik_opnsense]

Hello experts,

After google searching here + reddit, I wanted to distill best practice when creating new firewall rules for new interfaces. Of course, this doesn't fit every use-case however i wanted to understand if the general direction seems right. A penny for your thoughts?

Background:

• VLANs implemented @ switch-level
• All inter-VLAN traffic from switch must be routed to OpnSense (for visibility and rule enforcement)
• Provisioning of rules is not done at "interface" level.
  
  
  
  • Instead it is done at VLAN-level.
  • VLANs are then assigned to interfaces. In my case, 3 ports on firewall are LACP'ed together.
  • This LAGG'ed interface is not "enabled" in configuration i.e. only L2 processing occurs.
  • Each VLAN is then assigned to this LAGG'ed interface.
  • Each VLAN has its firewall rules.
  This makes for an easier migration to a better HW platform.

Thumb Rules:

• If inter-VLAN routing across multiple VLANs is required, best to create floating rules e.g. if VLAN1,2,3 need access to each other, at specific ports, but not to VLAN 4,5,6 then group VLANs, create floating rules @ group level along with source/dest addr/port filters
• if required, create RFC1908 inversion rule to allow external access (E.g. port 22, 80, 443 etc) to outside
• if required, handling of NTP and DNS ports. Make this rule "not immediate". I've learnt that IoT devices are particularly nasty in ignoring NTP and DNS settings set via signalling or external means. For this, NAT re-direction is also required in addition
• Each interface/VLAN then has its own set of rules specific to that interface/VLAN

I read somewhere that the first rule should always be to allow traffic into that interface's address. But, I'm unable to ascertain whether that is a good idea.

Attached is a sample config for my IoT VLAN.