how to deal with IPv6?

Started by defaultuserfoo, May 21, 2022, 02:02:29 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
May 24, 2022, 02:09:41 PM #30
Quote from: pmhausen on May 24, 2022, 01:33:01 PM
And that's it, in my opinion. What do you think?

I think that's awesome and you're a genious :)

Does it even require the rule to deny everything from Customer net to Customer net?  It says everything not explicitly passed is being blocked ...

(I made a test group earlier and then worried I might get locked out, but fortunately, I wasn't ...)
May 24, 2022, 02:33:03 PM #31
Quote from: defaultuserfoo on May 24, 2022, 02:09:41 PM
Does it even require the rule to deny everything from Customer net to Customer net?  It says everything not explicitly passed is being blocked ...
IMHO yes, because we want to keep the allow all to any rules for the individual interfaces. And block only inter-VLAN-traffic.

So the block rule is supposed to match that first. And then when the traffic is from local net X to anything else ("the Internet"), the interface rule matches.

If we leave the group ruleset empty, the firewall will just fall through to the interface rules and end up with "permit".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 24, 2022, 07:02:55 PM #32
Ah, yes, of course, you're right :)
May 25, 2022, 08:28:41 AM #33 Last Edit: May 25, 2022, 08:32:39 AM by avanix
Quote from: defaultuserfoo on May 23, 2022, 01:11:39 PM
Oh.  I thought your screenshot was a joke.  Why do you need so many of the same blocking rules?  Aren't these rules blocking stuff?  Are those outbound or floating rules?
My screenshot was not a joke.
The idea was to have several VLANs and put the devices that shoud be seperated in these VLANs. E.g. my office PC and the NAS are in one VLAN, the smartphones, Apple TV and stuff like this in an other VLAN. Each VLAN has the blocking rules to block access to every other VLANs and in the end an allow all rule for Internet Acces. When I need a communication between the VLANs I add a allow rule in front like in the Screenshot for the Remote Desktop Port.
Maybe there are simpler solutions, but this one worked for me and separates devices like me office PC from the smartphones and the NAS...
The idea should also work for IPv6 because for the sole separation between the VLANs no direct IPv6 based rule is needed. And for devices without internet access the allow all rule on the end can be removed for a VLAN without Internet.
May 25, 2022, 11:46:16 AM #34
Ah, now I see!  It's basically what I did, only you have a lot more VLANs, and you always explicitly use VLAN30 as source in all the rules (Where else could the packets come from?).

The solution Patrick (pmhausen) came up with that uses an interface group might save you all these rules.  I'll try that in a couple days.
May 28, 2022, 03:03:58 PM #35
The group interface doesn't seem to work right, see https://forum.opnsense.org/index.php?topic=28543.0
Print
Go Up Pages 1 2 3
User actions