LAN2 Setup Docs?

[Ozymandias_EBON]

Problem:
I run a personal web server behind OPNsense that is accessible via DDNS.
The server is locked down very well and I've never had a breach.... yet.
Since the server is also on my internal LAN, a breach would be very bad.
I know it's a security risk to the rest of my network and would like to add another layer of protection.

Possible solution:
OPNsense machine has 4 ports and 2 ports are unused.
My idea was to configure one of the unused ports for a second network (LAN2), with a different private IP range, that can access the internet but can't access LAN1.
I also don't want LAN2 to be able to access the management interface of OPNsense.
Here's what I did that did not work...

WAN is DHCP.
LAN1 is 192.168.1.1
Added LAN2 interface using Interfaces / Assignments and assigned a static IP address (10.10.10.1).
  I copied the settings from LAN1, changing IP address info.
Added IP range to DHCP.
  I copied the settings from LAN1, changing IP address info.
Added "Default allow LAN2 to any" firewall rule.
  I copied LAN1's rule for this.
Changed WAN firewall rule pointing web ports from LAN1 IP address to LAN2 IP address.

The result was that I was able access the internet but incoming web traffic went nowhere.
Also, from both LAN1 and LAN2 I could ping 192.168.1.1 and 10.10.10.1.
I tried various rules and other changes and ultimately got it to where nothing was working on LAN2.
I restored from backup and started writing this post.

I'm just wondering if there is a high level document or checklist to do this.
I've searched "second network" and "segment network" and neither seemed fruitful.

Or, if I'm missing a glaring step, please let me know.

[viragomann]

Changed WAN firewall rule pointing web ports from LAN1 IP address to LAN2 IP address.

You have to change the port forwarding to the new server IP.

With this at least access to the server from the internet should work, presumed the the network is configured properly.
Is the servers network configured via DHCP?
Otherwise you need also to state the new Gateway and DNS server.

For internet access, ensure, that an outbound NAT rule was created for LAN2.

[Ozymandias_EBON]

You have to change the port forwarding to the new server IP.

Got it.
I'll add this to my list and check the progress.
Will probably be over the weekend though.

Is the servers network configured via DHCP?

Yes.

Thank you for your reply!!

[EricPerl]

Added "Default allow LAN2 to any" firewall rule.

Hmm, you created that second network for security purposes but then allowed clients in that network to access everything...
That defeats the purpose. You might have made it a bit more difficult by adding a discovery step but it's not preventing anything.

Fixing the port forwarding should indeed fix internet -> server traffic.

Then I'd remove that default rule and watch the FW logs filtered to the LAN2 interface.
There are probably a few things the server needs to access (e.g. for its updates or get time).
You could enable just as needed based on what's blocked (best).

Or allow wide internet access (but nothing on the internal networks past the automatic rules).
That can be achieved by creating an alias that covers your private ranges and creating a rule from server (or LAN2 net) to !private-range-alias.
While your server might not be able to access LAN1 (or LAN2's gateway past the automated rules), it could still become part of a botnet if compromised.

I don't know how you manage the server (physically accessing it or from another machine on LAN1).
Both should still work with the default LAN1 rule.
This said, you indicated you locked down your server. Some rules there might be affected by the fact you'd be accessing it from another network.