Blocking acess to specific subnets [SOLVED]

[bogen85]

Alright, I've seen other posts on this subject and I've had limited success in doing this.

I created a separate test LAN subnet on an unused interface. For purposes of this discussion, I'll call that LAN_TEST_00

By default I can ping the Firewall's address for LAN_TEST_00 from my a computer main subnet, which I'll call LAN_MAIN_00.
I can also access the router web UI at Firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

I can go into LAN_MAIN_00 and add a block rule for LAN_MAIN_00 source to LAN_TEST_00 destination.
When and move this rule to the top and apply it, then I can no longer ping the firewall's address for LAN_TEST_00 from a computer on LAN_MAIN_00.

However, the router web UI at Firewall's address for LAN_TEST_00 is still accessible a computer on LAN_MAIN_00.

I have all protocols specified for the rule.

I want to be able to have separate subnets on separate interfaces that can't access each other (or even know each other exist), unless I allow such access.

Blocking all other subnets for each subnet is fine.

But in my simple test above, I can block pings but not tcp traffic, so I'm not sure how to do this.

What am I doing wrong? This is an IPv4 rule and and I'm only testing with IPv4 addresses.

[bogen85]

Short of some firewall rules to achieve this isolation, I can either:

1) have multiple physical routers, one per subnet to isolated (Currently doing this for two subnets)
2) run multiple virtualized routers on one physical machine with ample resources and multiple network interfaces.

I run virtual OPNsense instances in some setups already, this works quite well.

However, just for the purposes of subnet isolation across multiple network interfaces, I'd rather just run one OPNsense instance with firewall rules, rather than running an OPNsense instance per subnet, which is a lot more demanding on resources.

[Patrick M. Hausen]

However, the router web UI at Firewall's address for LAN_TEST_00 is still accessible a computer on LAN_MAIN_00.

This is probably due to the automatic "anti lockout rule" that does some weird things with NAT port forwarding to ensure access to the UI. I disable that in all my OPNsense installations and rely on proper manual rules for UI access.

Your rule does work for TCP, don't worry. The UI is what is "special".

See screenshot to disable.

HTH,
Patrick

[bogen85]

This is probably due to the automatic "anti lockout rule" that does some weird things with NAT port forwarding to ensure access to the UI. I disable that in all my OPNsense installations and rely on proper manual rules for UI access.

Your rule does work for TCP, don't worry. The UI is what is "special".

Yes, disabling the "anti lockout rule" makes the deny rule I added work.

I can still access the UI from an applicable subnet.

Thanks.