new lan not getting access to internet

Started by bloodyskullz, October 11, 2023, 04:09:40 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 12, 2023, 03:39:40 AM #15 Last Edit: October 12, 2023, 08:07:58 AM by passeri
Try this instead of your current rules:

Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.

Create a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.

I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.

Edited to mention Pass and Block
Deciso DEC697
+crowdsec +wireguard
October 12, 2023, 09:39:26 AM #16
Segregation is achieved via splitting up the networks, either L2 via VLANs or L3 via Networks, both of them are usually used in together.

If you have split networks for LAB and LAN, assuming you have 2 L3 Interfaces for each specific Network. Firewalls essentially filter traffic in two directions INbound and OUTbound. By default INbound has implicit DENY on the interface/zone, you need to create a INbound RULE on the specific Interface to ALLOW traffic you want (OUTbound is by default ALLOWed).

Currently those RULES you have in place only ALLOW traffic for ICMP towards this Firewall.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
October 13, 2023, 03:38:16 AM #17
Quote from: passeri on October 12, 2023, 03:39:40 AM
Try this instead of your current rules:

Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.

This confused me, I know what an ACL is but the RFC stuff made me go blank.

Quote from: passeri on October 12, 2023, 03:39:40 AMCreate a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.

I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.

Edited to mention Pass and Block

Currently I only have LAB and LAN so ultimate go is LAB = internet access and nothing else in LAN

LAN = Access everything else.

By your suggestion of the rules, i could substitute no_go for LAN net (hoping I understood all that correctly).
October 13, 2023, 06:46:58 AM #18
Sorry  :)

RFC1918 is short for these addresses to enter in your no_go ACL: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
It is discussed under "Private network" on Wikipedia.

Remember to invert that ACL destination. Source is any, IN to the Lab address.
Deciso DEC697
+crowdsec +wireguard
Print
Go Up Pages 1 2
User actions