basic question about how firewall rules work

Started by OPNPeta, May 23, 2025, 08:36:01 AM

Previous topic - Next topic
May 23, 2025, 08:36:01 AM Last Edit: May 23, 2025, 10:38:26 AM by OPNPeta
Hello,

I have recently started to look into the subject of VLANs. Unfortunately, I do not understand the basic functionality of the firewall rules there.

I have the following simple standard configuration:
OPNsense v25 on PCEngines board, interface is [LAN] and [WAN].
Existing firewall rules are only the automatically created rules

[WAN] = no rules (i.e. block everything)

and

[LAN] = allow everything

I have now set up a VLAN101, interface [VLAN101], on which DHCP service is running.

I have also set up a VLAN101 on my Ubiquiti switch and assigned this ID to some network ports there.

Devices that I now connect to these switch ports are assigned a corresponding DHCP address.

There are no separate firewall rules for/under the interface or the VLAN [VLAN101], apart from the automatic rules.

The issue I don't understand is by now:
Why can devices within the VLAN101 are able to ping each other?
Why can services be called up on the devices of the VLAN under their corresponding IP of the VLAN101, although it says that if no firewall rule exists everything is blocked by default until an exception is defined.

Where is my error in thinking?

Quote from: OPNPeta on May 23, 2025, 08:36:01 AMWhy can devices within the VLAN101 are able to ping each other?

Because traffic within a LAN/VLAN does not pass through the firewall. Networked devices can communicate with each other with just a switch or an access point.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

See this, point 1.

However, on some Unifi switches and all APs, you can enable a feature called "Port Isolation", so that those ports can only communicate with their designated gateway. See: https://www.unihosted.com/blog/how-to-use-port-isolation-for-your-unifi-networks
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+

Quote from: OPNPeta on May 23, 2025, 08:36:01 AMalthough it says that if no firewall rule exists everything is blocked by default until an exception is defined.
That is true only for something connected to this firewall interface, not something connected to another interface of the firewall.

May 23, 2025, 10:35:59 AM #4 Last Edit: May 23, 2025, 11:38:39 AM by OPNPeta
Ah okay, I see there's probably a lot of basic knowledge that I'm missing.

Sorry for my stupid question. :)

So firewall rules can only be applied among network interfaces and/or VLAN, NOT within?

@Patrick M. Hausen
I found another thread with a post of yours about preventing a VLAN from accessing a 'local RFC1918' network. Your approach there was to use a DENY all/everything rule on a restricted interface group as a firewall rule. I had successfully tried this in another situation and that is probably the reason why I was a bit confused with my current "VLAN internal firewall rule issue".

@all
Thanks for the help!

Quote from: meyergru on May 23, 2025, 10:00:16 AMSee this, point 1.

Thanks for your input with the list of essential topics. I'm a little unhappy about the fact that I'm lacking a lot of network background knowledge.

I know or am already familiar with some of the points mentioned there. So far, I have only operated OPNsense in "default mode", but as time goes on and I get more involved with network technology, I am finally starting to want to understand my network in more detail and to segment it.

So I finally want to configure a separate VLAN for home office or guest network separately from the rest.

My second current project is to integrate a Teltronika TRB500 5G gateway into my setup.

I have already found some useful articles here in the OPNsense forum. I've already tried out a few things and hopefully understood them (and implemented them correctly). :)