VLAN access to internet and not to LAN

Started by cambrbr, November 06, 2023, 01:51:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 06, 2023, 01:51:36 PM
Hi,
I have created a new VLAN (10). That VLAN needs access to internet, and certain LAN services.

DHCP is working fine, and I have added port 53 for access to Unbound DNS on the firewall. However, when I want to allow HTTP to internet, it does not work. The destination "WAN net" does not work.  When I allow * as destination, it does work, but that also allows access to LAN resources using HTTP, which is something I don't want.

What am I doing wrong ?

November 06, 2023, 01:59:31 PM #1 Last Edit: November 06, 2023, 02:21:16 PM by Patrick M. Hausen
"WAN net" is the network directly connected to your WAN interface. "The Internet" is "*".

To achieve what you need keep in mind that firewall rules are evaluated in order. So on your VLAN interface create these rules:

action: permit
source: any or VLAN net
destination: those certain LAN services (use e.g. a group alias)

Possibly more rules like the above depending on the granularity and the combinations of hosts and services

Then:

action: deny
source: any
destination: LAN net

Then:

action: permit
source: any
destination: *


HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 06, 2023, 02:05:16 PM #2
as I'm new to OPNsense, the fact that "*" is the internet is imho a bit confusing, as putting "*" as destination also allows access to LAN.

but this does help a lot. thanks Patrick

br,
Bram
Print
Go Up Pages1
User actions