Allow internet traffic but not intraVLAN traffic

Started by JCBond, September 08, 2023, 12:31:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 08, 2023, 12:31:59 AM
I am new to OPNsense and am trying unsuccessfully to do something I think should be very easy.

At my location, we have 20 separate VLANs. I would like to allow ALL VLANs full access to the WAN (Internet) but only allow IntraVLAN communication between two of the VLANs and the rest.

I know I could go to each VLAN and create individual firewall rules to Block and Allow communications between every single possibility. But since there are so many VLANs I would like to group things and just allow what is needed.

Basically, this is what I need:
- Allow traffic from VLAN 1 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 1 to ALL)
- Allow traffic from VLAN 2 to ALL other VLANs + Internet (I can do this with a rule to allow VLAN 2 to ALL)
- Allow only Internet traffic from all other VLANs - This is the question: How do I allow this without at the same time allowing communication to the other VLANs?
I don't want to have to create a block rule from each VLAN to every other VLAN (there are just too many)

I have tried multiple options to group the VLANs in different ways and create Block Rules and Allow rules, but unless I do this to EACH and EVERY VLAN individually, I am not getting the correct results.
September 08, 2023, 01:02:00 AM #1
There are a few ways to do this. Most important thing to remember: Everything that's not explicitly allowed is blocked by default (that's for inbound, with a few exceptions).

Create two groups:

"AllVLANs" (add all of them) and "InternetOnlyVLANs" (add the 18 restricted ones).

On the InternetOnlyVLANs group, create a rule: allow 'InternetOnlyVLANs net' to !'AllVLANs net'
You can do this by enabling 'Destination / Invert' and setting the destination to 'AllVLANs net'.

If you need to access OPNsense itself from the Internet-only VLANs (e. g. for DNS), you need to add an additional rule to allow this.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
September 08, 2023, 02:02:50 AM #2
Maurice,

I knew this could not be that difficult, but I did not understand what "invert the sense of the match" meant until you brought it up.

Thank you so much.
Print
Go Up Pages1
User actions