Help Needed to Block VLAN Access to Main Network and Gateway on OPNsense

[hr3078]

Hello OPNsense Community,

I am new here and only learning the basics so far, I am seeking help with configuring my OPNsense firewall to block access from a specific VLAN (IoT devices) to my main network and gateway. Below is a detailed description of my setup and the steps I've taken so far.

Network Setup:

- Main Router (Default Gateway)
- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.ateway): 192.168.0.1
- Firewall (OPNsense): 192.168.1.1
- VLANs:
    - VLAN10 (Roaming): 10.0.10.0/24
    - VLAN20 (Services): 10.0.20.0/24
    - VLAN30 (IoT): 10.0.30.0/24
- Devices:
    - IoT devices are connected to VLAN30 via a wireless access point.

Goals:

- Block IoT devices (VLAN30) from accessing the main network (192.168.0.0/24).
- Block IoT devices from accessing the default gateway (192.168.0.1).
- Allow IoT devices to access the internet.

Steps Taken:

1.  VLAN Configuration:
   
    - VLANs are configured on a managed switch with the following setup:
        - Ports 2-3: VLAN10 (Untagged)
        - Ports 4-5: VLAN20 (Untagged)
        - Ports 6-7: VLAN30 (Untagged)
        - Port 1: Trunk (Tagged for VLAN10, VLAN20, VLAN30)
2.  Firewall Rules:
   
    - VLAN30 Interface:
        - Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.0/24`.
        - Block rule for `Source: 10.0.30.0/24` to `Destination: 192.168.0.1`.
        - Allow rule for `Source: 10.0.30.0/24` to `Destination: any` (for internet access).
    - LAN Interface:
        - Added corresponding block rules for traffic originating from VLAN30.
3.  NAT Configuration:
   
    - Using automatic outbound NAT rule generation.
4.  State Table Reset:
   
    - Reset the state table after applying firewall rules.

Observations:

- Despite the block rules, IoT devices on VLAN30 can still ping and access the main network (192.168.0.0/24) and the default gateway (192.168.0.1).


Why Not Using Bridge Mode:

- I chose not to convert the ISP router to bridge mode to avoid disruptions with internet connectivity. Since I share the internet with my flatmate, maintaining stability and minimizing downtime was a priority. Changing the ISP router to bridge mode could have caused interruptions, and therefore, I opted to configure the network with the existing set

Firewall Rules Screenshots:
Attached the firewall rules to this post

Logs:

- Enabled logging for block rules.
- Observed logs showing that packets from 10.0.30.4 to 192.168.0.x are being blocked, yet pings are still successful.

Questions:

1.  Is there a specific order in which the rules should be placed*
2.  Could there be any missing configurations in VLAN settings or NAT rules that I'm missing?
3.  Should I configure additional settings on my wireless access point to support VLAN segregation?

I appreciate any insights or suggestions from the community to help resolve this issue. Thank you in advance for your assistance!