alias with ip's to block LAN access - what firewall rule

[RamSense]

I would like to have some specific IP's on my wifi network being blocked for LAN access and only allowing internetaccess. I have made an alias with the IP addresses that should have no LAN access, but I can't find a working firewall rule.....

What Firewall-Rules-LAN do I have to make to get this working?

Thank you for your help in advance!

[jp0469]

Are the wireless clients on their own VLAN? If not, then they're on the same subnet as what you're calling the LAN and if that's the case, you can't block inter-LAN traffic because it doesn't pass through the firewall.

[RamSense]

Thank you for your reply!
Yes they are on the same subnet. So this can't be done? to bad....

I have 1 working firewall lan rule for alias ip's that can access LAN, but have no internet access:
block - lan - source "alias" - destination invert - destination lan address

and was looking for the way around rule for allowing internet but blocking the LAN.... So this is only available by adding another wifi point with its own subnet.....

[lfirewall1243]

Please give us a
-Network Plan
- Screenshot of LAN Rules
- What you want to archive

[chemlud]

Thank you for your reply!
Yes they are on the same subnet. So this can't be done? to bad....

I have 1 working firewall lan rule for alias ip's that can access LAN, but have no internet access:
block - lan - source "alias" - destination invert - destination lan address

and was looking for the way around rule for allowing internet but blocking the LAN.... So this is only available by adding another wifi point with its own subnet.....

The LAN-to-LAN traffic is not subjected to any limitations by FW-rules. Actually the sense doesn't even see the LAN traffic. Take a new interface, name it GUEST or something and BLOCK access to your LAN.

[RamSense]

Thank you both for your replies.

What I want to do is what I have done to my Ip-Cams. Those IPcams have static ip / mapping and added to an Alias. With the firewall rule ( block - lan - source "alias" - destination invert - destination lan address ) I have given those only access to lan and no access to the internet.

Now I want to add another Alias with static IP's for guests in my house. Those IP's should have access to the internet, but not to the LAN. Kinda like a guest network.
My WIFI router does have a guest network option, but since this router is in AP (access point) mode, this guest network is working the same as the normal wifi network. I can not assign another interface to it.

My setup is simple. ISP router in bridge -> Opnsense -> Wifi Router

[marjohn56]

One more time. You cannot block LAN <> LAN devices from talking to each other, the packets go direct, they do not enter the firewall. When you put a rule in that blocks LAN > WAN then the packet from the LAN must go via the firewall to get to the WAN, therefore it can be blocked... The correct way to do this is either separate LANs or the use of VLANs, in fact if the clients are wired it's the only way to do it as far as I am aware.

[edit]

There are two ways to do this, if  your hardware running Opnsense has a spare ethernet port that you are not using then create a separate 'Guest' LAN on that and wire it only to the wifi access point, The other way is to buy a small managed switch(es) and use VLANs, one for the WiFi and one for the wired LAN, you could even have a third, which is for the Cameras/IOT devices only.

[chemlud]

..or if your sense has a free USB-port try your luck with a USB-RJ45 adapter, I use some USB2 from time to time as Service Interface, not for high troughput, but usually I have found them to be reliable. And for IOT trash it should be OK anyway...

[RamSense]

Thanks. Got it. I think I Will set up an wifi access point only for guests and assign a vlan/interface to it.
I was hoping to make it work without another device being bought :-)