Author Topic: VLAN access to internet and not to LAN (Read 2081 times)

cambrbr · « **on:** November 06, 2023, 01:51:36 pm »

Hi,
I have created a new VLAN (10). That VLAN needs access to internet, and certain LAN services.

DHCP is working fine, and I have added port 53 for access to Unbound DNS on the firewall. However, when I want to allow HTTP to internet, it does not work. The destination "WAN net" does not work. When I allow * as destination, it does work, but that also allows access to LAN resources using HTTP, which is something I don't want.

What am I doing wrong ?

Patrick M. Hausen · « **Reply #1 on:** November 06, 2023, 01:59:31 pm »

"WAN net" is the network directly connected to your WAN interface. "The Internet" is "*".

To achieve what you need keep in mind that firewall rules are evaluated in order. So on your VLAN interface create these rules:

action: permit
source: any or VLAN net
destination: those certain LAN services (use e.g. a group alias)

Possibly more rules like the above depending on the granularity and the combinations of hosts and services

Then:

action: deny
source: any
destination: LAN net

Then:

action: permit
source: any
destination: *

HTH,
Patrick

cambrbr · « **Reply #2 on:** November 06, 2023, 02:05:16 pm »

as I'm new to OPNsense, the fact that "*" is the internet is imho a bit confusing, as putting "*" as destination also allows access to LAN.

but this does help a lot. thanks Patrick

br,
Bram

Author Topic: VLAN access to internet and not to LAN (Read 2081 times)

cambrbr

VLAN access to internet and not to LAN

Patrick M. Hausen

Re: VLAN access to internet and not to LAN

cambrbr

Re: VLAN access to internet and not to LAN