Question on "This Firewall"

[AegeanDad]

I have a four-port OPNSense box. two WANs and two LANs. LAN1 should access everything, LAN2 should only access LAN2 and both WANs but not LAN1.

LAN2 interface has the following rules:
1. Allow all inbound if destination is NOT "This Firewall" (meant to allow WAN traffic)
2. Allow all inbound if destination is LAN2

Yet, a PC attached to the LAN2 port can ping another PC attached to LAN1. Why is that?

[jp0469]

"This Firewall" represents all IP addresses assigned to OPNsense. This would typically include localhost and the x.x.x.1 address for each LAN/VLAN. Based on this, LAN2 to LAN1 traffic is being allowed by your rule #1 because LAN1 falls in the scope of NOT "This Firewall". Also, your rule #2 does nothing because traffic within the same subnet does not even pass through the firewall for evaluation.

A better way to achieve your goal is with a single rule. First, create an alias that consists of all the RFC1918 private IP ranges (10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16). Call this "RFC1918" or whatever you like. Next on LAN2, create a rule that allows all access to NOT "RFC1918". This gives LAN2 internet (WAN) access but will not allow traffic to any other LANs.