Block all rule on "in" still allows access from other VLAN. What can be wrong ?

waldorf · August 28, 2024, 05:21:56 PM

I am quite new to OPNsense, probably overlooking something.

I have a VLAN for which I defined an interface with DHCP server 192.168.3.x
For this interface I defined a "block all rule" direction IN (there are no other rules)

I still am able to ping a device on the 3.x network from another VLAN, what can be wrong ?

doktornotor · August 28, 2024, 05:56:45 PM

Because pinging 192.168.3.x from 192.168.3 traffic never hits your firewall. It's handled by the switch on L2.

As for VLANs, you cannot emulate L2 managed switch with OPNsense.

dseven · August 29, 2024, 01:13:48 PM

Quote from: waldorf on August 28, 2024, 05:21:56 PM
For this interface I defined a "block all rule" direction IN (there are no other rules)

I still am able to ping a device on the 3.x network from another VLAN, what can be wrong ?

"In" means that the "connection" arrived at the firewall through this interface. In the case of your ping, it would have arrived at the firewall through some other interface (the other VLAN), so the rule you created would not apply.

waldorf · August 29, 2024, 08:24:04 PM

It was indeed my dumb OPNsense beginner mistake. Interpreted the rule in the opposite direction. Now it's working as expected. @doktornotor the ping was from a different VLAN (192.168.5.x) which was maybe not clear enough mentioned. Both thanks for your support :)

Block all rule on "in" still allows access from other VLAN. What can be wrong ?

waldorf

August 28, 2024, 05:21:56 PM

doktornotor

August 28, 2024, 05:56:45 PM #1 Last Edit: August 28, 2024, 06:00:15 PM by doktornotor

dseven

August 29, 2024, 01:13:48 PM #2

waldorf

August 29, 2024, 08:24:04 PM #3