Allow only Internet trafic

[RLuceac]

Hello my friends,

I have a opnsense setup with multiple vlans, and for some of them I do not want inter Vlan comunication, only access to internet.

I created a PASS rule on  vlan1 interface, allowing vlan1 net to wan net. but it does not work...

If I create an allow any to any rule I get internet access on that vlan...

Why my vlan1 net  to wan net not working?

What files I can get in opnsense to post here?

Thanks

[Patrick M. Hausen]

WAN net is only the directly connected network on the WAN interface.

The Internet is "any".

To prohibit a VLAN from accessing other VLANs you need a more specific deny rule in front of the general ("Internet") allow rule.

Source: VLAN X
Destination: Group of all other VLANs (for example)
Action: deny

Source: VLAN X
Destination: any
Action: allow

[RLuceac]

Thanks!

I create the block rules and after that the allow any..

It works...

A lot of work, but works..

[clownschiff]

We do it like this:

• Create an Alias that contains all private networks as defined in RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
• Create a firewall rule that only allows traffic to that Alias and use the Source/Invert checkbox. This way you'll only allow traffic not directed to private networks
• Optional: Create firewall rules to allow traffic that is directed to the firewall (i.e. DNS) and place it before the RFC1918 rule. This way you can make exceptions for traffic that should reach some of your private network destinations

[lukazy]

I found it to work only if you use the Destination/Invert checkbox (not the source) which makes more sense.
Or am I wrong?

[Patrick M. Hausen]

Destination invert is correct.