Author Topic: How to isolate one port/subnet (Read 4616 times)

hushcoden · « **on:** March 30, 2021, 09:33:54 pm »

I've got 2x LAN ports and 1x WAN port and I'd want to create firewall rules to 'isolate' LAN2 (which is on a differnet subnet than LAN1) in order to allow only Internet access and no access to LAN1, any advice, please?

Tia.

lfirewall1243 · « **Reply #1 on:** March 30, 2021, 09:35:24 pm »

Creat a fw rule on

LAN1 which is blocking the traffic to lan2

And on LAN2 which is blocking to lan1

hushcoden · « **Reply #2 on:** March 31, 2021, 12:59:46 pm »

Quote from: lfirewall1243 on March 30, 2021, 09:35:24 pm

Creat a fw rule on

And on LAN2 which is blocking to lan1

Just one rule like the attachment ?

Greelan · « **Reply #3 on:** March 31, 2021, 01:12:33 pm »

Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

This would replace any block rule from LAN2 net to LAN1 net, and any allow rule from LAN2 net to any

Result: anything from LAN2 net to internet is allowed (by above rule), and anything from LAN2 net to LAN1 net is blocked (by default deny rule)

hushcoden · « **Reply #4 on:** March 31, 2021, 02:23:52 pm »

Quote from: Greelan on March 31, 2021, 01:12:33 pm

Easiest would be an allow rule on LAN2 interface, source LAN2 net, destination !LAN1 net

Sorry, what !LAN1 net means?

Greelan · « **Reply #5 on:** March 31, 2021, 02:26:17 pm »

“Not LAN1 net”. Put LAN1 net as destination, but check the invert destination box. So the rule will match if the destination is NOT LAN1 net

hushcoden · « **Reply #6 on:** March 31, 2021, 02:39:14 pm »

Ahh gotcha

and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?

Greelan · « **Reply #7 on:** March 31, 2021, 10:17:30 pm »

As I said above, you don’t need the last two. If you keep them, then all traffic from LAN2 net will continue to be able to reach LAN1 net

lfirewall1243 · « **Reply #8 on:** April 01, 2021, 08:01:01 pm »

Quote from: hushcoden on March 31, 2021, 02:39:14 pm

Ahh gotcha and that's my current LAN2: I have also two default allow rules which I believe OPNSense created - does it look fine?

Yep delete the last 2

hushcoden · « **Reply #9 on:** April 02, 2021, 10:58:18 pm »

Thanks, but if I delete the last two, the PS4 won't connect to the Internet...

Greelan · « **Reply #10 on:** April 03, 2021, 03:01:41 am »

So the PS4 is in LAN2 net? Does it rely on any services in LAN net, such as a DNS server?

Greelan · « **Reply #11 on:** April 03, 2021, 03:03:35 am »

I am assuming of course you weren’t observing this while the PS4 blocking schedule was operating?

hushcoden · « **Reply #12 on:** April 03, 2021, 01:17:04 pm »

So, I fixed it by adding DNS servers manually on PS4

blackline · « **Reply #13 on:** January 14, 2024, 10:18:53 am »

Why can't we just use the following rule:
PASS src GUEST_LAN dst !WAN

This way, if one ever adds a second or third LAN, I don't have to remember to add firewall rules.

Author Topic: How to isolate one port/subnet (Read 4616 times)

hushcoden

How to isolate one port/subnet

lfirewall1243

Re: How to isolate one port/subnet

hushcoden

Re: How to isolate one port/subnet

Greelan

Re: How to isolate one port/subnet

hushcoden

Re: How to isolate one port/subnet

Greelan

How to isolate one port/subnet

hushcoden

Re: How to isolate one port/subnet

Greelan

Re: How to isolate one port/subnet

lfirewall1243

Re: How to isolate one port/subnet

hushcoden

Re: How to isolate one port/subnet

Greelan

Re: How to isolate one port/subnet

Greelan

Re: How to isolate one port/subnet

hushcoden

Re: How to isolate one port/subnet

blackline

Re: How to isolate one port/subnet