Basic rule for each network

Started by xque, November 07, 2023, 11:25:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 07, 2023, 11:25:27 AM
Hello Everybody,

I'm configuring a new opnsense with around 40 VLAN each one is assigned on an interface.
To resume, I have around 40 networks.
One of my workmates tell me that I need for each network de following rule:

Example for network vlan ID 100
Interface  VLAN_100
Protocol any
Source VLAN_100
Destination VLAN_100
GW VLAN_100_GW

I really need this rule to be sure that my network 100 can reach it own GW?
Or it's superfluous?

Thank's a lot for your help

November 07, 2023, 01:03:22 PM #1
That depends on what you are trying to achieve. I would first configure one VLAN and try everything I want to work (or not work) and configure the firewall rules it to that extent. For example, if you want internet access for your VLANs, you need an "allow all" rule anyway, so a more specific rule is dispensable.

To save you some work, you can define firewall interface groups for your VLAN interfaces. That way, you have to create firewall rules only once for the groups.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 07, 2023, 02:15:29 PM #2
Hello,

Completely agree with you, testing would be a good idea. Unfortunately for me, all my VLAN are physically connected on a black fiber trunk who is connected to another city.
I have to configure everything before commissioning with no chance of testing.

I'm pretty sure if I create a group with all my interface inside and create a rule with:
Interface  Gr_VLAN
Protocol any
Source GR_VLAN
Destination GR_VLAN
GW default

All VLANs in the group will be allowed all together?
This is not what I want.

I would just like to be sure that I don't need an internal rule to each VLAN that allows network members to join the GW?

Thank's a lot

Print
Go Up Pages1
User actions