How to allow only Internet access

Started by im9h4l68, January 03, 2025, 06:13:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 03, 2025, 06:13:00 PM
Hello,
my OpnSense is behind my ISP router. So the OpnSense WAN is actually the ISP router's LAN. (I use the isp router just as modem). In OpnSense I've configured multiple VLANs, where each VLAN has its own subnet.

Now I want to allow all outgoing traffic from VLAN 40 to the internet. Not only http+https, but all the other stuff aswell.
However I don't want to allow this VLAN to connect to other OpnSense networks.
And I'm not sure how I should create such a rule.

I can create a rule "allow from vlan40 to any: any" but this would also allow traffic from vlan40 to eg. vlan20 which I don't want.

I already thought about the following:
Create a "group/alias/whatever" that is destination any, but exclude other opnsense networks from this, like the vlan20.
Is something like this possible? How is it called?

Or what would be the "right" approach for my intention?

Thanks!
January 03, 2025, 06:55:17 PM #1
Just add a block rule for all internal destinations to the top of the rule set.

Best to block all private networks, however. You can achieve this by creating an alias for private IP ranges. Call it RFC1918 and add all private networks to it.
Then add a block rule on VLAN40 interface and enter the alias at destination.

Consider that this will also block access to OPNsense itself, e.g. to the Unbound DNS server. If you need this you have to add an additional pass rule to above of the block rule to allow TCP/UDP access to port 53. Probably you also want to allow NTP access to OPNsense.
January 03, 2025, 09:57:45 PM #2
Another option (no explicit block) is to update your current allow rule destination from any to !RFC1918Alias
Allowing access to the gateway is still required.
You cannot view this attachment.
January 04, 2025, 03:39:55 PM #3
RFC1918 alias works perfectly, thanks!
Print
Go Up Pages1
User actions