Blocking/Allowing InterInterface Traffic

Started by t84a, April 12, 2025, 09:08:31 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
May 08, 2025, 03:28:34 PM #30
Quote from: meyergru on May 08, 2025, 03:12:50 PMYou can compare the differences between any of your last configurations yia System: Configuration: History.

What do you mean by "I set it back to Pass All and everything works."? You only showed one firewall rule to that extent here. We were chasing ghosts here if that was not the only rule and you did not have internet access with that.

If it was not the only manual rule on that interface, then please show all interface rules. As I wrote, your first goal should be to enable internet access from all interfaces, then block specific inter-VLAN traffic without losing internet access.


On Port 3. The experiment in this thread was with Port 3-Cameras.

I have Pass All on all 3 LAN interfaces now.
May 08, 2025, 07:25:55 PM #31 Last Edit: May 08, 2025, 07:27:31 PM by EricPerl Reason: Clarification
Here's my understanding of where we stand.
OP has Internet connectivity when using the "Pass all" rule.

Reply #8
Quote from: t84a on May 07, 2025, 08:15:52 PM...
Sorry, I meant that I do not use VLANS.  I originally set up all the interfaces to have this rule.  I had no problems but I don't think that I am preventing LAN2 and LAN3 from accessing LAN1 or each other. 
...
Edit: This rule refers to the pass all rule attached.

Also reply #18
Quote from: t84a on May 07, 2025, 10:42:55 PMO5. I'm not sure that matters.  When I connect to LAN2 or LAN3 from my PC, I get no internet access unless I put in a rule for Pass All.

The OP is correct in that first quote that a pass all rule also gives access to other private VLANs, which is not what he wants (all the way to OP).

I gave him the way I set this up (allow all but private, allow DNS at GW).
OP seems unable to reproduce. That is still outstanding.
OP has never shown his version of these rules...

I concur with disabling IPv6 for now.
Restarting fresh could also eliminate leftover gremlins (for example that weird IP in the routes on WAN, but we could also clean this up more surgically).

Am I missing anything?
May 08, 2025, 08:17:02 PM #32 Last Edit: May 08, 2025, 08:51:50 PM by meyergru
Probably, the OP messed up the VLAN blocking rules. Since he never showed them in context with the "allow all rules", we cannot tell.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 08, 2025, 08:46:02 PM #33
If you use the "allow all but private" mechanism, block rules are not needed, thus eliminating the need to order rules properly.
May 08, 2025, 09:02:16 PM #34
For your given rules in posting #2 to not work, it suffices to use a DNS server IP on another than the test network (say, on the first LAN ip or not the gateway itself, e.g. a pi-hole or something, i.e. 192.168.x.y where y != 1 or where x is not in the same subnet as the client).

If you then do not know how to diagnose that, you will not have DNS and thus "no internet":

1. I never saw the actuall firewall rules.
1. I never saw a ping/traceroute to 8.8.8.8.
3. I never saw the DHCP configuration.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 08, 2025, 09:44:09 PM #35 Last Edit: Today at 12:50:03 AM by t84a
Update.  Here's the solutio. Thanks to EricPerl.
May 08, 2025, 11:11:22 PM #36
I have like a same question @viragomann says by default inter vlan traffic is blocked, but my opnsense out of the box allows all inter vlan traffic. Does someone have a clue where to look? Only if i make a rule like LAn to Management with block, it stops working. But in my opinion by default inter vlan traffic should be blocked.
May 08, 2025, 11:18:08 PM #37
By default only the LAN interface has an "allow all" rule configured. When you create a new (VLAN) interface it comes with no rules so everything is blocked. That's the default and that is why people make statements like "by default inter VLAN traffic is blocked".

If you copy your LAN rule over to that VLAN, then of course you permitting *everything* including inter VLAN traffic but that is your decision and your action which cause this.

Create your rules appropriately. A firewall is a policy enforcement device. It does whatever you tell it to.


VLAN 100 in, destination "any" means "any". Make that "! private networks" instead and you do not allow inter VLAN traffic. How should OPNsense guess which policy you want to implement?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 08, 2025, 11:42:07 PM #38
Quote from: t84a on May 08, 2025, 09:44:09 PMUpdate.  Here's the solution thanks to the HomeNetworkGuy:

FWIW, this is EXACTLY the same as in reply #3 on this thread...
May 08, 2025, 11:46:26 PM #39
Quote from: EricPerl on May 08, 2025, 11:42:07 PMFWIW, this is EXACTLY the same as in reply #3 on this thread...

#2 - this one:

https://forum.opnsense.org/index.php?topic=46812.msg234831#msg234831

Yeah. Youtube ... 🙄
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:04:27 AM #40
Opening the 1st page of the thread to compare the rules and typing the wrong number... 🤷�♂️
I guess I should take a break.
Today at 12:47:21 AM #41
Quote from: EricPerl on May 08, 2025, 11:42:07 PM
Quote from: t84a on May 08, 2025, 09:44:09 PMUpdate.  Here's the solution thanks to the HomeNetworkGuy:

FWIW, this is EXACTLY the same as in reply #3 on this thread...

Crap.  You are 100% right.  I probably tried it but did it wrong.  So to correct myself:  Thanks to ERIC for the solution!!
Today at 12:56:29 AM #42
I can't even... sigh.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 01:24:08 AM #43
Post 41 was from my phone. To be clear, I'm positive I tried Eric's recommendation.

I restored a backup from the beginning of April and started over. Instead of coming back to this thread, I went from scratch.

I'm not sure what was jacked up. My apologies to Eric. He's helped me on every one of my topics.
Print
Go Up Pages 1 2 3
User actions