How can I block access to all VLANs with 1 or 2 firewall rules ?

Started by Spiky_Gladiator, August 17, 2024, 08:27:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 17, 2024, 08:27:42 PM
Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks
August 17, 2024, 09:47:11 PM #1
I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 18, 2024, 12:35:23 PM #2
Quote from: Patrick M. Hausen on August 17, 2024, 09:47:11 PM
I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick

Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ? That's the issue that I came across when I used Aliases.
August 24, 2024, 11:31:46 AM #3
Anyone ?
August 27, 2024, 10:13:08 AM #4
Quote from: Spiky_Gladiator on August 18, 2024, 12:35:23 PM
Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ?

There are automatically generated rules to explicitly allow DHCP.
August 27, 2024, 10:18:19 AM #5
@dseven discussion has moved to this thread for ... reasons:

https://forum.opnsense.org/index.php?topic=42422.0
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions