How to create Airgapped VLAN (and other firewall subtilities)

Started by bernardgut, March 10, 2024, 12:29:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2024, 12:29:31 PM Last Edit: March 10, 2024, 12:31:58 PM by bernardgut
Hello

I just got a DEC750 and what a wonderful machine. However, when I search the internet on how to configure the firewall, I see many posts for many different versions of Opnsense with many different ways of doing the same thing. I want to therefore ask here what is the canonical way of achieving the following, in 2024 (Opnsense 24.10+ with business license):

Given a generic interface setup (WAN, LAN1, LAN2, LAN3)

1. What is the correct way of configuring an airgapped VLAN (lets call it VLAN1) ?
Airgapped means:
- No devices in VLAN1 can access the outside world (WAN).
- Devices on a subset of other interfaces (LAN1,LAN2,..) can access the VLAN1.
- Devices in VLAN1 can talk to each other and get IPv4/6 DHCP assignments from router.

2. What is the correct way of configuring an "isolated" VLAN (lets call it VLAN2) ?
Isolated means :
- Devices in VLAN2 can access the outside world (WAN)
- Devices on VLAN2 cannot access any other interface
- No other devices on another interface can access VLAN2, save for a specific subset (Either a VLAN3 or Specific MAC addresses, both ok)
- Devices in VLAN2 can talk to each other and get IPv4/6 DHCP assignments from router.

Let's assume I start from the default configuration on a DEC750 with Opnsense 24.10+ (some rules such as "let out anything from firewall host itself" already present and cannot be deleted (?) on all interfaces). What is the correct procedure to achieve 1. and 2. ?

Thanks
B.
March 10, 2024, 03:04:47 PM #1
Configure interfaces for every VLAN,

by default no VLAN can access anything other than DHCP, DNS, RA.

Enable in rules for every interface to allow what you want to allow (pass). Use alias for your networks to keep maintenance low (an alias can have both addrtypes IPv6 and IPv4).

Traffic within a VLAN is always enabled.

Internet access can be obtained by a pass rule to all non-private/local adresses. That is traffic with target NOT RFC1918and your IPv6 prefix





March 10, 2024, 03:24:34 PM #2
OPNsense does not allow DNS by default.  You have to add a rule to allow it.

When making VLANs, don't put tagged and untagged traffic on the same NIC.  The easiest setup is to have WAN, LAN, and a third NIC for all of your VLANs only.

If you have enough ports, you can do all of this without VLANs.
Print
Go Up Pages1
User actions