Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is? (Read 1275 times)
szakes1
Newbie
Posts: 2
Karma: 0
How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is?
«
on:
November 10, 2023, 04:26:49 am »
Hi!
I'm desperately trying to block a specific Wireguard iinterface from accessing the whole network - VLAN 1 (192.168.1.0/24) - where OPNsense and my homelab are located.
Here's my network infrastructure at the moment:
1. VLAN 1 (native: 192.168.1.0/24): OPNsense, homelab on Proxmox with other VMs,
2. VLAN 200 - wired devices, 192.168.2.0/24
3. VLAN 300 - wireless devices: 192.168.3.0/24
4. VLAN 400 - NVR for cameras in an isolated DMZ VLAN: 192.168.4.0/30
5. VLAN 500 - Karol (my first name): few devices which have access to all resources in my network: 192.168.5.0/27.
All of my inter-VLAN routing is created as a router on a stick method.
Wireless and wired devices and NVR can't connect to each other, firewall rules are created in a correct way that allow access to the Internet, 192.168.1.63/24 VM with UniFi controller with 8080 and 10001 ports (only for wireless and wired devices). Traffic is blocked to OPNsense web admin panel (HTTPS 443 port) and to other VLANs.
However, if I set-up Wireguard WG2 interface (WG1 is a special interface that has access to all resources) to have access to the Internet and one host 192.168.1.98 except to other VLANs, it still has access to VLAN 1 where OPNsense and my homelab are located. How to successfully block all traffic to the whole VLAN 1 network?
«
Last Edit: November 10, 2023, 04:28:23 am by szakes1
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is?
«
Reply #1 on:
November 10, 2023, 07:10:19 am »
What are your rules for the WG2 interface?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
szakes1
Newbie
Posts: 2
Karma: 0
Re: How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is?
«
Reply #2 on:
November 10, 2023, 08:47:23 pm »
Hey!
Thank you for replying to my issue.
I think the issue is solved, because I'm still new to networking and so on, but I solved it after playing with the IP address of the host I wanted to have access to. The issue was that I set the rule for passing traffic to 192.168.1.98 with netmask of 24. I don't know why I put 24 netmask there. Perhaps I thought that the IP address 192.168.1.98 belongs to 24 bit netmask, so I typed it. Nonetheless, I changed it to 32 bit netmask, so there's only one IP address available. Now I understand what went wrong. I'm leaving this thread for the future, maybe someone will have the same problem.
//EOT
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
How to block Wireguard network from accessing VLAN 1 (native) where OPNsense is?