Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
VLAN Firewall Traffic & Web Proxy
« previous
next »
Print
Pages: [
1
]
Author
Topic: VLAN Firewall Traffic & Web Proxy (Read 2845 times)
keropiko
Jr. Member
Posts: 81
Karma: 2
VLAN Firewall Traffic & Web Proxy
«
on:
August 20, 2019, 01:06:30 pm »
Hello all,
i have setup some vlan networks with rules on my firewall to block traffic from some vlans to others.
On all vlans i have enabled also the proxy with antivirus at port 80 with nat rules.
Everything is working fine, except traffic on port 80, that all vlans can access to each other vlan.
For example, a device in vlan20 can access a device web interface in port 80 at vlan 30.
I think this is because NAT rules, come before Interface rules in firewall? i have tried to move the nat rule for the proxy, at the vlan firewall rules below the block rules but nothing happens.
If someone can help me how to setup the rules so i completely block also all traffic of the proxy between the vlans.
Thank you.
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: VLAN Firewall Traffic & Web Proxy
«
Reply #1 on:
August 20, 2019, 09:52:55 pm »
Does the proxy run on opnsense? Then you can just allow port 3128 (in your case port 80) to "this firewall"'. Then only connections to the vlan interface addresses of opnsense are allowed.
In case of transparent proxy, create an alias with your local address space (usually RFC1918) and add it as NO REDIRECT rule before your proxy redirect rule. Then cross vlan traffic will not be forwarded to proxy and only pass if a firewall rule exists that allows traffic.
«
Last Edit: August 20, 2019, 10:01:00 pm by hbc
»
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
keropiko
Jr. Member
Posts: 81
Karma: 2
Re: VLAN Firewall Traffic & Web Proxy
«
Reply #2 on:
August 22, 2019, 12:56:04 pm »
Hi and thank you for the reply.
Yes i have it in opnsense as transparent proxy.
As you told me, i have made a NO redirect NAT rule to rfc1918 , above the redirect NAT rule for the proxy, and now the devices from the different VLANs cannot access the devices on port 80 at the other vlans.
Now the problem is, that even with firewall rules, if i want to permit access from specific vlans to some of the devices on port 80 at the other vlan, it does not work.
Secondly, i get 503 errors, at devices with http to https redirection on lan accessibile through dynamic dns with Nat reflection enabled so i have inserted the wan dynamic ip with the rcf1918 exception to the no redirect rule.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
VLAN Firewall Traffic & Web Proxy