[SOLVED] allow all internal networks to access a single device/port

[tessus]

This might be an odd question and it is a bit embarrassing to ask. However, it's not such much about how to do it, but rather what the best way is to do it.

I have several VLANs and my LAN (which is the default VLAN 1). I want to give all devices from all networks access to one device and one port (pi-hole) in a specific VLAN.

I was looking into floating rules but here are few issues:

- if I don't specify an interrface, it will also include the WAN
- if I specify all interfaces manually except the WAN, I'll have to change the rule every time I create a new VLAN
- I could use 2 rules with an inverted source (WAN net, WAN address)
- create an alias for internal networks and use that for source

There are a many ways to skin a cat, so I was wondering what is the most efficient way to setup such a rule?

[Greelan]

Create an interface group for the relevant VLANs and specify the rule there. Then if a new VLAN is created later, simply add it to the interface group at the same time.

[tessus]

Thanks a lot for the answer.

As mentioned in my list above that requires to modify the rule (or the group in your case). This is not what I want.

I think the most straightforward way is to create an alias of internal networks (which is rather easy when you pick all private networks) and use that for the source and just don't specify any interfaces.

Your approach requires to change something when you add to your network. Or is this for some reason preferable to using an alias of internal networks? 

[KeyHand]

An alias of internal networks is likely easier to manage, but it's really down to how granular you want to make it and how often you can tolerate changing 'something'.

E.g. you could create an alias with the network ranges of all your current VLANs.  When you create a new VLAN, you'll have to add the new network to the alias (ugg, configuration management  ).  Conversely, you could just create an alias called 'RFC_1918', add 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 (assuming all your VLANs use addresses that fall in these ranges), use the alias as the source address of a floating rule to your Pi-hole, and call it a day.

Then there's the (admittedly small) risk of random devices using addresses they shouldn't and gaining access to things they shouldn't be able to access.  (From the WAN this can be mitigated by setting 'Block private networks' and 'Block bogon networks' on the interface.)

In either case, I'd argue that making your configuration explicit limits the potential of unintended traffic and generally makes your OPNsense config easier to read.