Best Practice for Blocking Cross LAN Traffic by Default

[rkubes]

I have multiple LAN networks spread between different physical interfaces, VPNs, and VLANs.

I should also call out that I have WAN Failover configured, so all my "allow all outbound" (after all my block rules) are configured to use that Failover Gateway which only goes to either WAN device.

When I first started configuring my OPNsense device several years ago, I would go to each LAN and make a list of rules on each LAN that was "block all This LAN to That LAN." Then as I'd add new LANs over time, I'd need to remember to add another rule to every LAN to default block access to the other LANs. I'm realizing this is becoming a maintenance hassle to keep accurate.


Part of me is thinking, since my default "allow out" rules use the WAN gateway, they probably can't talk to the other LANs by default anyway (other than my explicit allow rules). But I don't know if it's "safe" to rely on that.

I'm also thinking I could make an alias that includes all IPs in the private ranges (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/? I can look that last CIDR up). Then just make a block rule on each LAN to catch anything that wasn't explicitly allowed, and then no longer have to remember to manually add each new Interface/net as I add more LAN segments.

I tried searching this topic, but a lot of the results were people wanting to figure out a way to filter traffic between devices WITHIN the same LAN (which don't make it past switches to the OPNsense instance anyway).

Still before I potentially send myself down another "bad" path, I wanted to understand what others are doing and what recommendations there are.

Thanks

[Monviech (Cedrik)]

https://docs.opnsense.org/manual/how-tos/security-zones.html