Firewall Rule Issues - Seemingly not working

[Smack2k]

Having a strange issue where it seems like firewall rules are being ignored.

As an example, I have a VLAN that has my retro computers on it.  For that VLAN, I have disabled the default allow all inbound and outbound rules, but computers on my house VLAN can still contact the retro computers when they are running.  I also tried putting in a block rule from my home computer (on my home vlan) to anything in the retro VLAN, but I can still contact the machines.

I dont know what I am missing here, so hoping someone may have some advice.

The one thing that is still in place is the default Allow LAN to any rule for the NIC that these two VLANs (and others) connect to.  Is that rule my issue?  I thought by creating the Virtual Networks, those rules would trump anything on the main LAN rules.  Perhaps I am wrong?

Thanks for the assistance.

[chemlud]

Most likely the problem is in your VLAN switch...

[Smack2k]

Cisco Switch looks fine.  Setup the way it has been.  Ports assigned to proper VLANs and trunked properly.

This was working fine and then stopped.  Nothing on either of my switches has changed.

What else on the switch could be the issue?  They are fully managed Cisco switches

[chemlud]

You have a rule to block access from LAN to retro LAN? Show rules on both LAN and retro LAN...

As the traffic originates from LAN, the valid rules should be on the LAN, but if you mess around with outbound and inbound rules ymmv.

[Smack2k]

I had these rules set in each VLAN previously and they were working.  I didnt allow anything in or out of my retro VLAN so the machines could only talk to each other.

I dont have a specific block rule as it states anything that isnt specified allowed is blocked by default.

I have the default VLAN rules for the retro VLAN disabled (so any in and any out is disabled).  The LAN that the VLAN and other VLANs are on still has the default Allow rule, but the specific VLAN rules should supercede the overall LAN rule I'd think.  Otherwise, why even have rules for the VLANs?

I dont want to disable the default allow rule for the LAN or nothing will work.

[chemlud]

...
I dont want to disable the default allow rule for the LAN or nothing will work.

If you allow anything, then everything will be allowled oO

[Smack2k]

Are you saying the default allow LAN rule trumps all the rules you set in individual VLANs? 

That doesnt seem right.

[Greelan]

It doesn’t “trump” it as such, it is just behaving as you have set it up. You are telling OPNsense to allow anything coming from the LAN network to access anything else - so that is what it is doing.

The way OPNsense works is that it generally applies rules on traffic coming in on an interface. If that is allowed to the relevant destination, then the firewall just sends it out the outgoing interface (using the “allow anything out of firewall host itself” floating rule)

[Smack2k]

OK,

If I disable that nothing would be able to get out, even if I have it allowed from the VLANs correct?

So what are my options

This is the rule I am talking about (attached)

If that is disabled or not allowed, nothing coming from that NIC would get out.  If that is the case, what is the point of the VLANs?  This was working fine for a long time the way I had it setup.  I never touched the LAN rule and made all the firewall rules from the VLAN Interfaces. 

[Greelan]

Don’t disable the default rules, just place a block rule above them that blocks LAN net going to VLAN net. Simples…

[Smack2k]

Forgive my ignorance here, but what is the point of having individual VLAN rules to decide what is and isnt allowed in / out if you just block things from the LAN rule?  The VLANs are all created off the LAN NIC.

[Greelan]

Well, like with the LAN rules, you would use the VLAN rules to regulate traffic coming from VLAN net

[somebod3983]

Phew, I'm not going mad, and I'm not the only person with this problem.

I too have created multiple VLANs they're on separate network interfaces for example I wanted placed my ipmi's into a VLAN which I called IPMI with a Vlan ID of 10 assigned dhcp to them on a completely different range (192.168.10.0/24) to my LAN(192.168.1.0/24) the ipmi's all have their IP's (lovely) The problem is my LAN can access them and I have not allowed that! I thought VLANs were completely cut off from other networks until you explicitly allowed them to access something, I thought it was always off by default.

No matter, thought I, i'll create a firewall rule blocking my LAN from accessing it, but low it doesn't, I have tried creating to prevent traffic leaving my LAN bound for my IPMI VLAN, I've tried creating a rule on the IPMI VLAN preventing all traffic from the LAN reaching it, in both cases the LAN has access. So the question is why are VLAN's not isolated?

I'm working from a clean fresh installation with the default firewall rules installed. I'm using OPNSense 21.1.5

[Smack2k]

Well, like with the LAN rules, you would use the VLAN rules to regulate traffic coming from VLAN net

Thats where my rules are....in each VLAN.

There are several VLANs setup that are all coming from the same LAN interface.  The VLAN rules are there for each VLAN.  I've even disabled the allow all in and allow all out for one of them as a test.  But I can still access machines in that VLAN from a machine in a different VLAN.  Same goes for the other VLANs, everything can access everything even though I have specific rules set for each VLAN.  The fact that I disabled the allow all in and out from the one VLAN should mean nothing can get to those machines, yet I still can.

The LAN that the VLANs are created from has the allow all rule from the attachment in an earlier post.  But that has been that way for a long time.  Its just all of the sudden the firewall rules arent doing anything, whether enabled or disabled.

[Greelan]

I think you are both confused by the concept of traffic direction in the fw rules. Have a look at the help text for “Direction” in the fw rules, and the OPNsense docs. You need to look at all rules from the perspective of OPNsense itself.

Unless specifically allowed, everything is blocked coming into an interface on OPNsense. So everything from the internet is blocked coming into the WAN interface; everything from LAN net is blocked coming into the LAN interface; everything from VLAN1 net is blocked coming into the VLAN1 interface.

Obviously there are some default exceptions for DHCP and ICMP. And there is the default LAN “allow any” rule, that allows anything coming from LAN net into the LAN interface to go anywhere (to any other internal subnets, and to the internet).

If you create a VLAN and want to block traffic going to the VLAN hosts, you can either:

- create an IN rule on the interfaces that you want to block traffic from (such as the LAN interface, or a floating rule that applies to multiple interfaces); or

- create an OUT rule on the VLAN interface that you want to block traffic to

OPNsense’s default approach is to apply rules IN on an interface. This is the most efficient from a packet processing perspective (packets are dealt with when first seen by OPNsense), and also means that complications don’t arise if source NAT is applicable.