critique my setup

[terry274]

I have installed OPNsense 22.1.6 and setup three interfaces. WAN, LAN and IOT.

Since I am relatively new to firewall rules I would like some feedback on my setup. My goal is to have my computers and cell phones on the LAN and internet of things (Roku, Firestick and Amazon Plugs) on IOT. LAN can access IOT, but IOT is blocked from LAN.

My setup works, but is it correct and secure?

[EdwinKM]

You can verify things yourself. Connect a system to your IOT and simply test. You can still access the LAN now.

Why is there a "iot"  "source" on LANem0. That is not the ingress port. Block where the traffic is entering the firewall. On interface "iot_em2" you should create a block rule for traffic to "LAN".

Usually you would create a "RFC1918" item with all private ip ranges. This would avoid problems later if you create new extra networks/interfaces. Google/youtube for examples.


Also do not understand the "iot allow access to gateway".

[terry274]

Thank you for your reply Edwin. I have edited my rules and now have this:






I can ping IOT from LAN successfully, Chromecast and Alexa work. Pings from IOT to LAN are blocked.

I have not yet gotten my printer to work. I can ping it, but it does not show as available to my computer or cell phone.

Any suggestions?

[EdwinKM]

your phone is on lan you stated. The printer is on the IOT lan? I am not familiar with printers on another subnet (and the protocols they use). But i heard this can be give problems. I am not sure if this is using mDNS/bonjour and that kind of jazz. If you find the solution let me know. Have not tested it myself (but i have a wired printer)

[terry274]

The problem with the printer is mDNS I suspect. I have not resolved this issue. The printer is a Brother MFC-J450DW.
It supports mDNS, IPP, LPD and LLMNR among other protocols.

I do have my LAN clients setup to print on the IOT printer by adding the printer address manually. I gave the printer a static address.

If I log onto my IOT and ping the LAN, no packets are allowed through. Good!

If I log onto my LAN and ping the IOT, all packets are allowed through. Good!

If I go use the OPNsense gui and go to "interfaces, diagnostics, ping" and select a LAN host and a IOT source address the packets are transmitted, no loss. I don't understand why that happens.

[EdwinKM]

printer:
so, is the problem only to find the printer dynamically? If you configure it static in operating system it works?


ping:
not 100% sure. But i think you have to look it as follows. Normal IOT devices connected to your physical interface are disallowed to access your LAN. But the traffic has to pass through the interface.
With your experiment you test directly at the router. so, "after" the firewall. You are using the iot gateway (probably x.x.x.1) as source and not a "client" IP.

Even if i add a block rule for ICMP on the "out" direction the ping still works.

[terry274]

The printer has a static address assigned at the firewall. I manually configured my computer and cell phone with the address and I can print from the computer and cell phone. They can not detect the printer dynamically. Since I know I can set up the devices without the dynamic discovery I'm not going to pursue the issue.

I think you are correct about the diagnostic test on the firewall running "after" the interface firewall rule.

Thank you for your help!