VLAN with Internet access only

[meggenberger]

Hi,

I'm running OPNsense 21.7.7-amd64 and up until now I just had a WAN and a LAN interface active which was running great. Now I want to add a VLAN 99 and this VLAN should only have access to the Internet and not the LAN network.

WAN: DHCP from ISP
LAN: 192.168.11.1/24 no VLAN tag
IoT: 192.168.99.1/24 with VLAN tag 99

When I create a rule on the IoT network as source and any as destination it works but this is too permissive. I only want internet access. I then tried:

source: IoT network, direction in, destination WAN net on the IoT interface

then it does not work. I get a deny by the default rule. I tried to add:

source: IoT network, direction out, destination * on the  interface WAN

still no gain. I have seen some articles where they allow everything and then deny access to other VLANs. Is that the way to go? Selective allowing doesn't work?

Any ideas or links on how to do this?

[nerlins]

You have to create a default allow any to all rule, so you can at least get internet. That rule stays at the bottom of your rules list. Then add more allow/deny on top. Personally, I create rules on each VLAN, blocking them to IOT, then from IOT to those specific VLANs.

[meggenberger]

ok ... will do that then .. thanks for confirming that I need to do that way and not what I first tried.

[Mks]

Hi,

best practise is to create an alias (RFC1918) with private IPv4 address ranges.

Than on the VLAN99 where you want to have internet only create the following rule:

Interface: VLAN99
Source: Any
Protocol: TCP/UDP
Destination invert: checked (IMPORTANT)
Destination: RFC1918
Destination Port: 80,443

This allows TCP/UDP traffic for Port 80,44 only to Internet (IPv4).

br

[nerlins]

Hi,

best practise is to create an alias (RFC1918) with private IPv4 address ranges.

Than on the VLAN99 where you want to have internet only create the following rule:

Interface: VLAN99
Source: Any
Protocol: TCP/UDP
Destination invert: checked (IMPORTANT)
Destination: RFC1918
Destination Port: 80,443

This allows TCP/UDP traffic for Port 80,44 only to Internet (IPv4).

br

What if their IOT devices need to access ports other than the two listed? And what if the ports they need aren't well documented? They would have to allow all just to see what is happening on the VLAN, right? I am welcome to be told I am wrong. Looking at this page, though, there are a ton of possible ports that could be used for IOT. These are standard, but the manufacturer could use any port they desired.

https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot--multi-purpose-attack-thingbots-threaten-intern

[Mks]

Hi,

What if their IOT devices need to access ports other than the two listed? And what if the ports they need aren't well documented? They would have to allow all just to see what is happening on the VLAN, right?

Question was how the IOT VLAN gets access to the internet. If the devices need additional Ports I recommend the create an Alias (IOT_Ports) and define there the ports which are needed. If you don't know and the ports are not documented you see it Firewall logs.

Looking at this page, though, there are a ton of possible ports

Back to the initial question IOT VLAN --> Internet. The link describes typical port where IOT devices are attacked, meaning Internet --> IOT.

With the described rule you just allow IOT devices to access Internet, not the other way around, meaning the IOT devices are not exposed to the Internet.

br

[meggenberger]

yep. That rule with !1918 worked for web access for the IoT devices.
Restricted it to what I need (port 80 and 443 to some IPs/Hosts)

Now for allowing specific rules from VLAN99 to LAN .. for example ICMP. Would I need to generate 2 rules? One on the IoT interface for outgoing traffic and one on the LAN interface for incoming ICMP from the IoT net as source? (Assuming I don't have/want an allow all out from the IoT network)

[Mks]

Hi,

if you want to PING (ICMP) devices on the IOT VLAN (VLAN99), you need to create a rule on the LAN interface.

Interface: LAN
Source: Any (or LAN net)
Protocol: ICMP
Destination: VLAN99 net

Than you can PING from LAN all devices in the IOT VLAN from to LAN, but not the other way around.

br

[jp0469]

yep. That rule with !1918 worked for web access for the IoT devices.
Restricted it to what I need (port 80 and 443 to some IPs/Hosts)

Now for allowing specific rules from VLAN99 to LAN .. for example ICMP. Would I need to generate 2 rules? One on the IoT interface for outgoing traffic and one on the LAN interface for incoming ICMP from the IoT net as source? (Assuming I don't have/want an allow all out from the IoT network)

Rules only need to be created on the "originating" interface. So in your case, the rule would be on the VLAN99 interface allowing traffic to LAN net (or to specific clients on the LAN net). Rule direction is inbound, which sometimes causes confusion but think of inbound as meaning "toward the firewall".

[Mks]

Hi,

this explains the rule processing quite good.

https://docs.opnsense.org/manual/firewall.html#processing-order

br