Block off-LAN access for hosts

Started by Ted, November 17, 2021, 11:44:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2021, 11:44:08 PM
I need to block off-LAN access for a few hosts. I've reviewed the forum for this - it seems to come up now and then. I've read all of the related threads, and I don't think I've missed anything. That said, the following rule does not seem to be working.

Action: Reject
Interface: LAN
Direction: In
TCP/IP Version: IPv4+IPv6
Protocol: Any
Source Address: Alias for the four host addresses
Source Port: Any
Destination Address: ! LAN net
Destination Port: Any

I'm running OPNsense 21.7.5. The only rule preceding this rule is the automatically generated anti-lockout rule.

This seems like it ought to be a simple thing, but it's not working, and I would really appreciate any help.

Thanks
November 18, 2021, 03:20:19 AM #1 Last Edit: November 18, 2021, 03:22:47 AM by pankaj
From your post it seems that you would like to stop four hosts that are on the LAN subnet from communicating with rest of the LAN network.

If this is correct then OPNSense cannot stop the traffic between two hosts on the same subnet because this traffic is not routed via OPNSense.
November 18, 2021, 04:51:55 PM #2
Thanks for your quick response. The intent is to block four hosts behind the LAN interface from communicating with any destination that is NOT behind the LAN interface (note the !). If I'm wrong about the use of invert in setting up the rule, could you explain in more detail? Thanks.
November 19, 2021, 04:21:02 PM #3
On occasion I've had a bit of trouble with aliases. Replacing the alias with an actual IP address avoided the trouble. I tried that on the rule above (expanding one rule with an alias to four rules each with an IP address). Unfortunately, it didn't make any difference.

Some additional information: IPv6 is disabled on the firewall (Firewall | Settings | Advanced). After each rule change, I reboot OPNsense.

Next step: I know there are link local addresses on the host interfaces of the systems I'm trying to block. I will include rules to block traffic from those addresses. Not sure where to go after that.

I would really appreciate any help.
November 21, 2021, 06:19:56 AM #4 Last Edit: November 21, 2021, 06:31:42 AM by pankaj
Few pointers:

1. Change "Destination Address: ! LAN net" to "Destination Address: any" - this should block whatever is specified in the source (a host, alias or a subnet) from going anywhere outside.

2. You don't need to restart OPNSense after each rule change, it not needed and seems excessive

3. For the new rule enable logging (its an option in the firewall rules UI) and then start a new window and go to "Firewall > Log Files > Live View" and then set filter as "src" to one of the LAN IP address that you are trying to block.

4. Do something on the machine that you are trying to block and you should see log (in real time) with info that can point you in the right direction. If the host is not getting blocked you will see the rule that is allowing the traffic outside.

Here is a good video explaining OPNSense firewall rules - Destination Address: ! LAN net
Print
Go Up Pages1
User actions