Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Allow only Internet trafic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Allow only Internet trafic (Read 6261 times)
RLuceac
Newbie
Posts: 6
Karma: 0
Allow only Internet trafic
«
on:
November 07, 2023, 10:14:45 pm »
Hello my friends,
I have a opnsense setup with multiple vlans, and for some of them I do not want inter Vlan comunication, only access to internet.
I created a PASS rule on vlan1 interface, allowing vlan1 net to wan net. but it does not work...
If I create an allow any to any rule I get internet access on that vlan...
Why my vlan1 net to wan net not working?
What files I can get in opnsense to post here?
Thanks
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: Allow only Internet trafic
«
Reply #1 on:
November 07, 2023, 10:24:02 pm »
WAN net is only the directly connected network on the WAN interface.
The Internet is "any".
To prohibit a VLAN from accessing other VLANs you need a more specific deny rule in front of the general ("Internet") allow rule.
Source: VLAN X
Destination: Group of all other VLANs (for example)
Action: deny
Source: VLAN X
Destination: any
Action: allow
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
RLuceac
Newbie
Posts: 6
Karma: 0
Re: Allow only Internet trafic
«
Reply #2 on:
November 08, 2023, 02:12:32 am »
Thanks!
I create the block rules and after that the allow any..
It works...
A lot of work, but works..
Logged
clownschiff
Newbie
Posts: 15
Karma: 1
Re: Allow only Internet trafic
«
Reply #3 on:
November 08, 2023, 09:07:01 am »
We do it like this:
Create an Alias that contains all private networks as defined in RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Create a firewall rule that only allows traffic to that Alias and use the
Source/Invert
checkbox. This way you'll only allow traffic not directed to private networks
Optional: Create firewall rules to allow traffic that is directed to the firewall (i.e. DNS) and place it before the RFC1918 rule. This way you can make exceptions for traffic that should reach some of your private network destinations
Logged
lukazy
Newbie
Posts: 1
Karma: 0
Re: Allow only Internet trafic
«
Reply #4 on:
June 12, 2024, 04:21:59 pm »
I found it to work only if you use the Destination/Invert checkbox (not the source) which makes more sense.
Or am I wrong?
Logged
Patrick M. Hausen
Hero Member
Posts: 6812
Karma: 572
Re: Allow only Internet trafic
«
Reply #5 on:
June 12, 2024, 06:47:50 pm »
Destination invert is correct.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Allow only Internet trafic