Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rules Coming Through an Vlan Interface.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Rules Coming Through an Vlan Interface. (Read 684 times)
PhD_Ape
Newbie
Posts: 2
Karma: 0
Firewall Rules Coming Through an Vlan Interface.
«
on:
June 10, 2024, 03:10:34 pm »
I am looking to restrict access to certain machines to a specific IP address on another VLAN and was wondering how OPNSense views the direction of traffic on the network. Since the traffic leaves VLAN 10 goes to the LAN and then leaves the LAN to go to VLAN 20, would this require an inbound rule on VLAN 20?
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Firewall Rules Coming Through an Vlan Interface.
«
Reply #1 on:
June 10, 2024, 04:33:14 pm »
Hi,
rules are bound to interfaces have two directions: in and out. Exception: Floating is bound to all interfaces, groups to those in the respective group.
In general you deny all traffic by default and add allow rules for the kind of traffic you like to have. That's usually done as in rule on the respective network segment's interface. Out rules make it hard to maintain your firewall.
As a matter of fact I don't understand your network setup. Do you have another router in LAN that connects to VLAN 20 or is VLAN20 also directly available to OPNsense. If the latter is the case: To allow traffic from VLAN 10 to VLAN 20 add a rule on VLAN 10 interface, direction in. Specifiy source VLAN 10 net and destination VLAN 20 net. Ports as required. You can also restrict the IP ranges much further, depending on your needs.
If you have another router on LAN you should first make sure LAN has no other hosts in there. Two routers are usually connected with a transfer network that has its own (IPv4: small) range. If not, you will eventually end up doing permanent trouble shooting because of assymetric routing.
Logged
PhD_Ape
Newbie
Posts: 2
Karma: 0
Re: Firewall Rules Coming Through an Vlan Interface.
«
Reply #2 on:
June 11, 2024, 07:34:08 pm »
Hi sorry for the confusion. The physical box running OPNsense has one WAN port and one LAN port. The LAN port is the Parent interface for all my VLANs.
Logged
netnut
Sr. Member
Posts: 272
Karma: 33
Re: Firewall Rules Coming Through an Vlan Interface.
«
Reply #3 on:
June 11, 2024, 10:21:30 pm »
Quote from: PhD_Ape on June 11, 2024, 07:34:08 pm
The LAN port is the Parent interface for all my VLANs.
Although the physical LAN interface is the parent for your VLAN interfaces, from a packet point-of-view your VLAN interface is just another interface, Virtual, but just another interface. And yes, when something is virtual, it finally will hit and use some hardware, in your case the physical LAN interface, but your talking about firewall rules and so: Packets.
When initiating traffic from VLAN10 to VLAN20, from a firewall perspective you should only care about the rules going INTO VLAN10, in 99,9% of the cases OPNsense will handle the rest (like routing).
As "Saarbremer" already explained, packets don't go from VLAN10 -> LAN -> VLAN20, but straight from VLAN10 to VLAN20, otherwise you needed some funky routing to do that, and I can't think of a valid use case.
TL;DR
Manage your OPNsense firewall rules from the first Interface (physical or virtual) that receives the inbound packet, in your scenario VLAN10. If it's traffic the otherway around, from VLAN20 to VLAN10, you would manage the inbound VLAN20 rules.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rules Coming Through an Vlan Interface.