Allow firewall rule between VLANs only on certain ports

[ammar.aljellawi]

Hello everyone,
I have an OPNsense with several VLANs in use at my home.

VLAN20: Terminal server
VLAN30: SQL database server

I want the two VLANs to be able to communicate with each other only via certain ports (port 1433 and 53).

All other connections between the two VLANs should be completely blocked.

My question:

How do I create the firewall rules correctly?

Do I have to work with "in" or "out" rules?

Or should I create rules with "in" or "out" direction on both VLAN interfaces?

What is the recommended procedure to allow traffic on both sides only on port 1433 and 53?

Translated with DeepL.com (free version)

[EricPerl]

53 is DNS
1433 is MSSQL
3389 is RDP (MS Terminal Server)

You typically want to control traffic 'in' (from the perspective of the FW) on the interface of the client.

I'll assume you have no inter VLAN connectivity (no allow all rule).
Just internet connectivity can be achieved with a simple rule like this first one:
You cannot view this attachment.
RFC1918_networks is an alias containing all ranges defined in the RFC. You at least need to include the ranges you use.

The 2nd rule allows DNS at the VLAN gateway.

To allow SQL access from the terminal server, you'd add a in rule on VLAN20
IPv4, TCP/UDP, VLAN20 net (or just the server), *, VLAN30 net (or just the SQL server), 1433, *, *, description

Repeat for the other use cases.

[meyergru]

@ammar.aljellawi: You asked the same question here already and got answers. Please do not cross-post.