Blocking incoming traffic at the LAN/OPT level instead of the WAN

[hiro24]

Hello everyone. I'm pretty new to opnsense, so hopefully this isn't a dumb question. But I'll try to run through my setup.

I have 2 physical NIC on which 1 is the WAN and the other has multiple VLANs. My problem is that apparently I don't know how to set up WAN to properly pass through traffic to the VLANs. For example, let's say I want to block ICMP on VLAN 5.

I can block it at the WAN and it's fine, but I don't want a massive list of incoming rules for all my VLANs on the WAN. I'd rather handle it at the VLAN level.

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.

[elektroinside]

I have never done your setup. I'll start with saying that anything that needs to be blocked, should be blocked as fast as possible, any other design is risky and i will never recommend anything else.

Regarding your question, you should carefully follow all your fw rules, priorities and ordering. Something with higher priority is passing your packets, probably an "allow any to any" on some interfaces/vlans.

Welcome to OPNsense!

[NOYB]

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

Nope.  That's not how it works.  Interface firewall rules are applied on ingress.  Traffic route to VLAN is egress.  So VLAN interface rules will not be applied.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.

With floating rules.  They can be configured for ingress and/or egress.

I know you didn't query for opinions.  But I'm with elektroninside.  Traffic is typically best block earliest possible.

[hiro24]

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

Nope.  That's not how it works.  Interface firewall rules are applied on ingress.  Traffic route to VLAN is egress.  So VLAN interface rules will not be applied.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.

With floating rules.  They can be configured for ingress and/or egress.

I know you didn't query for opinions.  But I'm with elektroninside.  Traffic is typically best block earliest possible.

So if I'm to understand you correctly, there's no way of evaluating the VLAN rules on ingress if the traffic originated from the WAN?

[NOYB]

Not that I'm aware of.

Interface rules are only applied to ingress traffic on the interface.
Floating rules can be configured as ingress and/or egress.

WAN ingress traffic is egress on the interface it is routed to.
To evaluate traffic at the routed to interface a floating egress rule would be needed.

In most cases it is typically better to leave everything blocked at the WAN and only open/NAT the things that are needed.  Allowing the WAN to be wide open puts the router at higher risk of compromise.  Don't think you'll find this to be a very common practice for an internet facing WAN.  Certainly not a BKM.  It may seem like more work, but think a compromised router would end up being far more work and impact.

[hiro24]

Not that I'm aware of.

Interface rules are only applied to ingress traffic on the interface.
Floating rules can be configured as ingress and/or egress.

WAN ingress traffic is egress on the interface it is routed to.
To evaluate traffic at the routed to interface a floating egress rule would be needed.

In most cases it is typically better to leave everything blocked at the WAN and only open/NAT the things that are needed.  Allowing the WAN to be wide open puts the router at higher risk of compromise.  Don't think you'll find this to be a very common practice for an internet facing WAN.  Certainly not a BKM.  It may seem like more work, but think a compromised router would end up being far more work and impact.

The thing is, it's NOT an internet facing WAN. This is deeply internal and the firewall sits mostly at the center of the network. It's purpose mostly is for permitting access between various VLANs on a per need basis and further allowing in external internet IPs that have already been cleared by the edge.

I understand everyone's concern about security at the WAN level, but I cannot stress enough that this is not a problem based on the location of this firewall.

I guess conceptually what I'm needing is some sort of zoning. Like, WAN says "ok, this is good. Pass to the next zone for evaluation." Next "zone" being the destined VLAN.