Second LAN OPT2 no WAN access

[exiled350]

I am running on a mini PC with four NICs, one is WAN, the second is my main LAN, and the other two have gone unused. This has been running flawlessly for quite a few years now and I am very happy with OPNSense. The time has come to expand things and I want to create a second, totally separate LAN using one of the extra ports. I created the OPT2 interface and managed to get DHCP working with it, problem is I can't seem to access the internet from this LAN.

All the guides and posts I keep coming up with are about bridging LANs or traversing ports. This is not what I want, I want the LANs to be totally separate and no co-mingling of traffic. What am I missing here, seems like it should be simple, yet I can't quite get it to work.

[viragomann]

Did you add a pass rule to the new interface to allow internet access?

Is your outbound NAT in automatic or hybrid mode?

[EricPerl]

Only the default LAN interface gets default firewall rules enabling wide access.
Additional interfaces don't allow anything by default (apart from the automated rules).

You can clone rules from your LAN interface as desired.

[exiled350]

That was it, I think, I can now ping the outside world by IP. Name resolving seems to be not working but that's probably a configuration issue somewhere else. This is a Windows 2000 Domain for all my XP and earlier machines. Hence the reason they need to be separated from my modern stuff. Next up is kicking off all the IoT stuff on to its own LAN.

[viragomann]

To allow access to the internet you might have set any for the destination in the pass rule. However, consider that this also allows access to your other LANs.
But you probably want to block access to your secure internal devices.

It's recommended to create an RFC1918 alias for this purpose, where you add all private network ranges.
https://en.wikipedia.org/wiki/Private_network

You can use this alias then as destination in the pass rule with "invert" checked. This means, the rule is applied to any other destinations than the content of the alias, hence any non-private IPs.

But you can also add a separate block rule on the top of the interface rule set.
Consider the rule order. Rules are probed from the top to the bottom. The first matching is applied and other rules are ignored.

When using block rules for private or internal ranges or a selective pass rules also consider, that you then need to allow access to internal services if used with an extra rule. E.g. if you use the unbound on OPNsense for DNS resolution.
Best practice here is to allow this on the internal networks group or with a floating rule. Both, group rules and floating rules (Quic checked) have precedence over interface rule. So they will be applied, even if you have a block rule on top of the interface.