[Answered] Firewall rules, Have I read this wrong or just doing it the hard way

[johnw230873]

Hi, from the reading I have done with testing to confirm, for me when I have Guest network and DMZ network it seems the only way to truly lock them down is to use floating rules.

For ease or reading in this "Interface" is referring to a logical interfaces setup inside opnsense, "Network port" then I referring to the physical network port (or logical if opnsense is virtualised)  coming into the firewall from the outside world.

From what I can tell, the normal firewall rules only work on traffic received from the network port and not coming from the interfaces (e.g. intervlan communication).

If I have this correct then when creating a DMZ I prefer to be able to set this up once and know that no traffic can get to this network or come out of this network once it has been set.

With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.

This means that when ever a new interface is created I need to remember all the networks that need to be isolated and create new rules for them to make sure they stay isolated.

Have I got this correct ?

For now I've flicked over to floating rules for these networks and basically said any traffic going to this network not from this network is blocked.

Is this the best way or I'm I looking at this old school?

[mdirickx]

I'm not following. Do you have multiple VLANs on the same 'Network port'? Best to create an interface for each VLAN for what you want to accomplish.

First result I found seems decent:
https://homenetworkguy.com/how-to/configure-vlans-opnsense/

If you do have these interfaces set up, or you have your different networks on different physical ports, you should be able to set up rules per interface. That is, without floating rules.

In my case I got a VoIP physical link to my switch, and my switch transforms it to a VLAN. But it could as well have been a VLAN on my OPNsense box. Either way, once you have the interfaces, you can limit them in the firewall rules for that interface. For me that's simple: I block everything, and only allow specific UDP ports (allong with http(s) and dns) through.

With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.

Short answer: no. You can limit what goes in... but you need to specify a source. An alias with blocked networks should suffice. In case you truly want to limit is, you can select 'this firewall' as the source to block traffic from every interface the firewall has.

Not sure I understood your question though.

[Maurice]

@johnw230873, we've just recently had this discussion, please see this thread:
https://forum.opnsense.org/index.php?topic=13522

Cheers

Maurice

[johnw230873]

Thanks guys,

Mdriricki, you answer works, for non floating rules you can limit what goes in "e.g. only one direction"

Maurice, Ta I didn't see that topic Maurice, It doesn't mention floating rules but does imply this is the only real way I can see for now until the feature is introduced.