Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
LAN and IOT VLAN firewall rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: LAN and IOT VLAN firewall rules (Read 5643 times)
meazz1
Jr. Member
Posts: 90
Karma: 1
LAN and IOT VLAN firewall rules
«
on:
January 18, 2022, 03:11:16 pm »
I have created a LAN and VLAN-IOT setup for my home office.
I simply want VLAN-IOT subnet to just have internet access but not the LAN access.
I am not an IT person and not sure the rules I created, with help of the Opnsense forum and internet, are valid and protects my network.
I would appreciate any feedback.
LAN Rules
IOT Rules
Aliases
«
Last Edit: January 18, 2022, 03:18:05 pm by meazz1
»
Logged
chemlud
Hero Member
Posts: 2481
Karma: 112
Re: LAN and IOT VLAN firewall rules
«
Reply #1 on:
January 18, 2022, 03:24:34 pm »
Hi!
As a starter: FW rules are evaluated from top of list beginning. First match -> rest of rules will not be checked. So on your LAN you allow at first ANYTHING outgoing, which will always match. So all other rules will never be checked/triggered. You have to move the BLOCK RFC1918 on top of list to make it trigger.
To allow anything outbound is not safe at all imho, but ymmv ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
meazz1
Jr. Member
Posts: 90
Karma: 1
Re: LAN and IOT VLAN firewall rules
«
Reply #2 on:
January 18, 2022, 04:07:25 pm »
Thanks, I moved that to the top. How about rest of IOT and LAN rules look?
Logged
jp0469
Jr. Member
Posts: 60
Karma: 8
Re: LAN and IOT VLAN firewall rules
«
Reply #3 on:
January 18, 2022, 07:02:25 pm »
On your 1st screenshot, those rules are for the LAN interface but you have the source as IOT net. Those rules only apply to traffic that originates from the LAN subnet with direction "in" (in means toward the firewall), therefore, that rule won't do anything.
I'm going to assume that you want LAN traffic to be allowed anywhere and IOT traffic to be allowed to the internet only. In that case, you only need a few rules. Also, since everything is blocked by default that is not explicitly allowed, always try to think in terms of using allow rules first and make them only as permissive as needed. You can always add specific block rules to the top later if needed.
So then, try this: On LAN interface, remove that block rule and leave the other rules there. Now LAN traffic can go anywhere. (You might need a DNS allow rule depending on your DNS config) On IOT interface, keep your DNS rule at the top. Delete the other rules and just add a single rule below that allows traffic to go anywhere except (inverse) the RFC1918 alias.
That should do it unless my previous assumptions were incorrect.
«
Last Edit: January 18, 2022, 07:06:45 pm by jp0469
»
Logged
jp0469
Jr. Member
Posts: 60
Karma: 8
Re: LAN and IOT VLAN firewall rules
«
Reply #4 on:
January 18, 2022, 07:20:06 pm »
I noticed after my last post that you also have a rule to block access to the WebGUI on the IOT interface. You can leave that rule at the bottom as it should work just fine. Another way to control this without rules is to go to System > Settings > Administration and then modify "Listen Interfaces" to only include the ones where you want to permit WebGUI access.
Logged
meazz1
Jr. Member
Posts: 90
Karma: 1
Re: LAN and IOT VLAN firewall rules
«
Reply #5 on:
January 19, 2022, 12:45:04 am »
@chemlud
@jp0469
Thank you. I believe I got this working.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
LAN and IOT VLAN firewall rules
