Blocking acess to specific subnets [SOLVED]

Started by bogen85, July 10, 2022, 07:48:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2022, 07:48:46 PM Last Edit: July 10, 2022, 10:18:53 PM by bogen85
Alright, I've seen other posts on this subject and I've had limited success in doing this.

I created a separate test LAN subnet on an unused interface. For purposes of this discussion, I'll call that LAN_TEST_00

By default I can ping the Firewall's address for LAN_TEST_00 from my a computer main subnet, which I'll call LAN_MAIN_00.
I can also access the router web UI at Firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

I can go into LAN_MAIN_00 and add a block rule for LAN_MAIN_00 source to LAN_TEST_00 destination.
When and move this rule to the top and apply it, then I can no longer ping the firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

However, the router web UI at Firewall's address for LAN_TEST_00 is still accessible a computer on LAN_MAIN_00.

I have all protocols specified for the rule.

I want to be able to have separate subnets on separate interfaces that can't access each other (or even know each other exist), unless I allow such access.

Blocking all other subnets for each subnet is fine.

But in my simple test above, I can block pings but not tcp traffic, so I'm not sure how to do this.

What am I doing wrong? This is an IPv4 rule and and I'm only testing with IPv4 addresses.
July 10, 2022, 08:19:18 PM #1
Short of some firewall rules to achieve this isolation, I can either:

1) have multiple physical routers, one per subnet to isolated (Currently doing this for two subnets)
2) run multiple virtualized routers on one physical machine with ample resources and multiple network interfaces.

I run virtual OPNsense instances in some setups already, this works quite well.

However, just for the purposes of subnet isolation across multiple network interfaces, I'd rather just run one OPNsense instance with firewall rules, rather than running an OPNsense instance per subnet, which is a lot more demanding on resources.
July 10, 2022, 09:58:52 PM #2
Quote from: bogen85 on July 10, 2022, 07:48:46 PM
However, the router web UI at Firewall's address for LAN_TEST_00 is still accessible a computer on LAN_MAIN_00.
This is probably due to the automatic "anti lockout rule" that does some weird things with NAT port forwarding to ensure access to the UI. I disable that in all my OPNsense installations and rely on proper manual rules for UI access.

Your rule does work for TCP, don't worry. The UI is what is "special".

See screenshot to disable.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 10, 2022, 10:18:22 PM #3 Last Edit: July 10, 2022, 10:30:35 PM by bogen85
Quote from: pmhausen on July 10, 2022, 09:58:52 PM
This is probably due to the automatic "anti lockout rule" that does some weird things with NAT port forwarding to ensure access to the UI. I disable that in all my OPNsense installations and rely on proper manual rules for UI access.

Your rule does work for TCP, don't worry. The UI is what is "special".

Yes, disabling the "anti lockout rule" makes the deny rule I added work.

I can still access the UI from an applicable subnet.

Thanks.
Print
Go Up Pages1
User actions