Block OPT1 from LAN

[guest10459]

I've seen this posted on the forums a few times but I have not found a resolution. I have and LAN and a OPT1 interface on my box. I copied the rule from the LAN firewall tab over to the OPT1 tab that allows all connections. I have a feeling this isn't the best way to go since it allows access to everything. However I've tried to create firewall rules on both the LAN and OPT1 firewall tab trying to block OPT1 from accessing the LAN and I can't sort this out.

I also want to block all devices on the OPT1 network from accessing a specific IP address on OPT1. I'm using this as a guest wifi network and I don't want them to have access to the wireless router webui on port 80 or 443.

[BertM]

Trav1sty,

OPNsense is a packet filter. This means that if you want to block something, you need to do this on the interface where the packet enters the device.

To prevent any communication between LAN and OPT1, you could try the following:

On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is LAN net

On the LAN interface add a firewall rule as follows:
Action is Block
Interface is LAN
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is LAN net
Destination is OPT1 net

To prevent access to the web gui from the OPT1, you could try the following:
On the OPT1 interface add a firewall rule as follows:
Action is Block
Interface is OPT1
TCP/IP version is IPV4+IPV6
Protocol is any
ICMP type is any
Source is OPT1 net
Destination is OPT1 address

I think this will still allow internet access from the OPT1 network because packets with an end destination in the internet (and not the OPT1 address itself) will not get blocked.

Does this work for you?

Note that if you use your OPNsense device for DHCP on the OPT1 network, you may only want to block ports 80 and 443 in the last rule.



Kind regards,
BertM

[guest10459]

Hi Bert,

First I wanted to thank you for your help and the long explanation. It turns out that I was doing things right but I had two problems. The first is that I was using the Transparent proxy on both my LAN on OPT1. This was making the filtering very difficult but my rule was correct after I turned the OPT1 proxy off.
The IP blocking rule was exactly what I needed. I can no longer access opnsense from opt1. I found something odd that was actually making my troubleshooting worse than it should be.
I have a wifi access point on both my LAN and OPT1. I can connect to the webui of both access points regardless of the network I'm on. I've tried a ton of blocking rules and none of them work on these access points that do not supply DHCP.
Everything else works great.

[Zeitkind]

A firewall can only block packets that actually pass its network interfaces. Traffic between members in the same subnet don't send their packets through a router - they simply send the packet directly either via a switch/hub or wifi (which is a shared medium like ethernet) to each other. Check if the access points span a WDS or simular. Your access point on the guest side must be completly independend i.e. has its own SSID and its own users and an IP-address inside the OPT1-range.