How to block local access but allow internet access?

[baz]

I would like my USERS vlan to block internal access to any servers on the network , and to each other, but still be able to access the internet. I think I need a firewall rule along the lines of: block all access to 192.168.* except for access to the OPNSense box (for dns, etc.). What is the cleanest way to do that?

[Patrick M. Hausen]

Iff all your users are in the same LAN or VLAN the traffic between those systems does not pass your firewall. There's nothing OPNsense can do in that regard. You would need a layer 3 capable switch that supports access lists on each port ...

[baz]

If I have a user on vlan USERS and the firewall for that interface is wide open, that user can access local services on other vlans, for example the nas on vlan LAN. I would like it so that USERS cannot access services on any of the local networks, but can access the internet, basically like how "guest" mode works on APs.

[Patrick M. Hausen]

OK, so you want to prohibit them from reaching services in OTHER VLANs? Correct?

Just put a deny rule with the target address of that other VLAN before the "allow all" rule.

[baz]

I also don't want them to be able to access other machines on their own vlan. I was hoping there would be an elegant way to deny all by default except internet and opnsense.

[Patrick M. Hausen]

There is no possible way to isolate machines on the same VLAN. Unless - as I wrote - you buy a switch that is capable of filtering.

If you are talking about WiFi and not Ethernet, many access points offer a "client isolation" feature, too.

The OPNsense firewall does only see packets that LEAVE the VLAN. Not packets from one machine to another one INSIDE the VLAN.