policies, vlans, wireguard

[dirtyfreebooter]

i have a vlan, 170, that is my kid network at home. i also have a wireguard interface that used by kid devices when remote (phone, ipad).

vlan170 - 192.168.170.0/24
wg1 - 192.168.212.0/24

vlan170 is on igb3, with 2 other vlans, vlan180, vlan190

vlan180, vlan190 are under a different zenarmor policy

--

under settings, i have wg1 and igb3 (the parent device) selected. now i am trying to figure out the best way to have this Kid policy apply to both vlan170 and wg1.



doesn't seem like this would work? because it would try and apply the vlan id 170 to wg1?

[IHK]

Please be noted that all of the below criteria are matched with the **AND** logical operator. In order for a flow to match your configured policy, all of these criteria need to be matching the flow information. For instance, if you have a policy configuration specifying 10.0.0.0/24 Network, em0 interface, and “Admins” group, all of these should be matching. If a packet is seen belonging to the “Admins” group but on the ixl0 interface, this specific flow will not match this particular policy.

As another example, if you add an IP address, such as 192.168.10.11 and a MAC address, such as 8C:16:45:6C:77:BB to the policy with a name Specific_IPandMAC, then the policy will only match if a device with MAC address 8C:16:45:6C:77:BB is assigned the 192.168.10.11 IP address. When this device connects to the network using a different IP address,Specific_IPandMAC policy is not applied to its network packets.

In other words, if you specify multiple criteria for a policy, the policy is only applied to network packets that meet all of the criteria specified in the policy.

https://www.zenarmor.com/docs/opnsense/policies/configuring-policy
https://www.zenarmor.com/docs/troubleshooting/policy-and-filtering

I hope this information has been helpful for you.

[dirtyfreebooter]

this is just i guess another example of how the "3" policy limit on home networks is insane.

i am trying to have 3 policies

1. kid (vlan 170 / wg1)
2. iot / guest (vlan 180 / vlan 190)
3. default (igb1, wg0)

kids devices are on their own vlan and on a wireguard interface when remote. because of the AND matching, this is a constant struggle with 2 policies limit. 3 policy wording is such a joke. its 2 policies with the home subscription.

argh. so i guess i have to reconfiguring interfaces and devices if i somehow want to make this work given the 2 policy limits.

[Seimus]

You can create the policy based on IP/Subnets

https://www.zenarmor.com/docs/opnsense/policies/managing-policies
Let everything default (maybe specify the Interfaces) and in the IP/Subnet section define the Kids subnet & WG Subnets
 
Regards,
S.

[dirtyfreebooter]

so i would just not select any interfaces and only specify the networks?

192.168.170.0/24 # vlan 170 network
192.168.212.0/24 # wg1 network

[Seimus]

Honestly I cant remember now,

Try to specify the parent Interfaces as well and check if it works. If not remove them and have the policy without interfaces. You can always edit a policy you created.

https://www.zenarmor.com/docs/opnsense/policies/configuring-policy

Regards,
S.