How to isolate one port/subnet

Started by hushcoden, March 30, 2021, 09:33:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2021, 09:33:54 PM
I've got 2x LAN ports and 1x WAN port and I'd want to create firewall rules to 'isolate' LAN2 (which is on a differnet subnet than LAN1) in order to allow only Internet access and no access to LAN1, any advice, please?

Tia.
March 30, 2021, 09:35:24 PM #1
Creat a fw rule on

LAN1 which is blocking the traffic to lan2

And on LAN2 which is blocking to lan1
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
March 31, 2021, 12:59:46 PM #2
Quote from: lfirewall1243 on March 30, 2021, 09:35:24 PM
Creat a fw rule on

And on LAN2 which is blocking to lan1
Just one rule like the attachment ?
March 31, 2021, 01:12:33 PM #3
Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

This would replace any block rule from LAN2 net to LAN1 net, and any allow rule from LAN2 net to any

Result: anything from LAN2 net to internet is allowed (by above rule), and anything from LAN2 net to LAN1 net is blocked (by default deny rule)
March 31, 2021, 02:23:52 PM #4
Quote from: Greelan on March 31, 2021, 01:12:33 PM
Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

Sorry, what !LAN1 net means?
March 31, 2021, 02:26:17 PM #5
"Not LAN1 net". Put LAN1 net as destination, but check the invert destination box. So the rule will match if the destination is NOT LAN1 net
March 31, 2021, 02:39:14 PM #6 Last Edit: March 31, 2021, 02:43:35 PM by hushcoden
Ahh gotcha  ;D and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?
March 31, 2021, 10:17:30 PM #7
As I said above, you don't need the last two. If you keep them, then all traffic from LAN2 net will continue to be able to reach LAN1 net
April 01, 2021, 08:01:01 PM #8
Quote from: hushcoden on March 31, 2021, 02:39:14 PM
Ahh gotcha  ;D and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?
Yep delete the last 2
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
April 02, 2021, 10:58:18 PM #9
Thanks, but if I delete the last two, the PS4 won't connect to the Internet...  :o
April 03, 2021, 03:01:41 AM #10
So the PS4 is in LAN2 net? Does it rely on any services in LAN net, such as a DNS server?
April 03, 2021, 03:03:35 AM #11
I am assuming of course you weren't observing this while the PS4 blocking schedule was operating? [emoji23]
April 03, 2021, 01:17:04 PM #12
So, I fixed it by adding DNS servers manually on PS4  ;D
January 14, 2024, 10:18:53 AM #13
Why can't we just use the following rule:
PASS src GUEST_LAN dst !WAN

This way, if one ever adds a second or third LAN, I don't have to remember to add firewall rules.
Print
Go Up Pages1
User actions