OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • How to create Airgapped VLAN (and other firewall subtilities)
« previous next »
  • Print
Pages: [1]

Author Topic: How to create Airgapped VLAN (and other firewall subtilities)  (Read 474 times)

bernardgut

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
How to create Airgapped VLAN (and other firewall subtilities)
« on: March 10, 2024, 12:29:31 pm »
Hello

I just got a DEC750 and what a wonderful machine. However, when I search the internet on how to configure the firewall, I see many posts for many different versions of Opnsense with many different ways of doing the same thing. I want to therefore ask here what is the canonical way of achieving the following, in 2024 (Opnsense 24.10+ with business license):

Given a generic interface setup (WAN, LAN1, LAN2, LAN3)

1. What is the correct way of configuring an airgapped VLAN (lets call it VLAN1) ?
Airgapped means:
- No devices in VLAN1 can access the outside world (WAN).
- Devices on a subset of other interfaces (LAN1,LAN2,..) can access the VLAN1.
- Devices in VLAN1 can talk to each other and get IPv4/6 DHCP assignments from router.

2. What is the correct way of configuring an "isolated" VLAN (lets call it VLAN2) ?
Isolated means :
- Devices in VLAN2 can access the outside world (WAN)
- Devices on VLAN2 cannot access any other interface
- No other devices on another interface can access VLAN2, save for a specific subset (Either a VLAN3 or Specific MAC addresses, both ok)
- Devices in VLAN2 can talk to each other and get IPv4/6 DHCP assignments from router.

Let's assume I start from the default configuration on a DEC750 with Opnsense 24.10+ (some rules such as "let out anything from firewall host itself" already present and cannot be deleted (?) on all interfaces). What is the correct procedure to achieve 1. and 2. ?

Thanks
B.
« Last Edit: March 10, 2024, 12:31:58 pm by bernardgut »
Logged

Saarbremer

  • Sr. Member
  • ****
  • Posts: 353
  • Karma: 14
    • View Profile
Re: How to create Airgapped VLAN (and other firewall subtilities)
« Reply #1 on: March 10, 2024, 03:04:47 pm »
Configure interfaces for every VLAN,

by default no VLAN can access anything other than DHCP, DNS, RA.

Enable in rules for every interface to allow what you want to allow (pass). Use alias for your networks to keep maintenance low (an alias can have both addrtypes IPv6 and IPv4).

Traffic within a VLAN is always enabled.

Internet access can be obtained by a pass rule to all non-private/local adresses. That is traffic with target NOT RFC1918and your IPv6 prefix





Logged

CJ

  • Hero Member
  • *****
  • Posts: 832
  • Karma: 30
    • View Profile
    • Have Answer, Will Blog
Re: How to create Airgapped VLAN (and other firewall subtilities)
« Reply #2 on: March 10, 2024, 03:24:34 pm »
OPNsense does not allow DNS by default.  You have to add a rule to allow it.

When making VLANs, don't put tagged and untagged traffic on the same NIC.  The easiest setup is to have WAN, LAN, and a third NIC for all of your VLANs only.

If you have enough ports, you can do all of this without VLANs.
Logged
Have Answer, Will Blog
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • How to create Airgapped VLAN (and other firewall subtilities)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2