OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Allow internet traffic but not intraVLAN traffic
« previous next »
  • Print
Pages: [1]

Author Topic: Allow internet traffic but not intraVLAN traffic  (Read 872 times)

JCBond

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Allow internet traffic but not intraVLAN traffic
« on: September 08, 2023, 12:31:59 am »
I am new to OPNsense and am trying unsuccessfully to do something I think should be very easy.

At my location, we have 20 separate VLANs. I would like to allow ALL VLANs full access to the WAN (Internet) but only allow IntraVLAN communication between two of the VLANs and the rest.

I know I could go to each VLAN and create individual firewall rules to Block and Allow communications between every single possibility. But since there are so many VLANs I would like to group things and just allow what is needed.

Basically, this is what I need:
- Allow traffic from VLAN 1 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 1 to ALL)
- Allow traffic from VLAN 2 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 2 to ALL)
- Allow only Internet traffic from all other VLANs - This is the question: How do I allow this without at the same time allowing communication to the other VLANs?
I don't want to have to create a block rule from each VLAN to every other VLAN (there are just too many)

I have tried multiple options to group the VLANs in different ways and create Block Rules and Allow rules, but unless I do this to EACH and EVERY VLAN individually, I am not getting the correct results.
Logged

Maurice

  • Hero Member
  • *****
  • Posts: 1213
  • Karma: 158
    • View Profile
    • GitHub
Re: Allow internet traffic but not intraVLAN traffic
« Reply #1 on: September 08, 2023, 01:02:00 am »
There are a few ways to do this. Most important thing to remember: Everything that's not explicitly allowed is blocked by default (that's for inbound, with a few exceptions).

Create two groups:

"AllVLANs" (add all of them) and "InternetOnlyVLANs" (add the 18 restricted ones).

On the InternetOnlyVLANs group, create a rule: allow 'InternetOnlyVLANs net' to !'AllVLANs net'
You can do this by enabling 'Destination / Invert' and setting the destination to 'AllVLANs net'.

If you need to access OPNsense itself from the Internet-only VLANs (e. g. for DNS), you need to add an additional rule to allow this.

Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

JCBond

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Allow internet traffic but not intraVLAN traffic
« Reply #2 on: September 08, 2023, 02:02:50 am »
Maurice,

I knew this could not be that difficult, but I did not understand what "invert the sense of the match" meant until you brought it up.

Thank you so much.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Allow internet traffic but not intraVLAN traffic
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2