How can I block access to all VLANs with 1 or 2 firewall rules ?

Started by Spiky_Gladiator, August 24, 2024, 11:31:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2024, 11:31:23 AM
Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks
August 24, 2024, 11:34:22 AM #1
Put a quick allow rule above the generic block one?
August 24, 2024, 11:44:16 AM #2
You already opened this exact thread a couple of days ago, right?

https://forum.opnsense.org/index.php?topic=42278.msg208676#msg208676

I could have sworn I answered your last question but my post seems nowhere to be found. DHCP is taken care of by automatic rules. It cannot be blocked by anything you configure in the UI.

See:
Code Select
root@opnsense:~ # pfctl -s all | grep bootp
pass in quick on vlan07 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "e21ba82e2787507de82efd16e930703c"
pass in quick on vlan07 proto udp from any port = bootpc to (self) port = bootps keep state label "55d713eb0d0abdc53fd028019175cd04"
pass out quick on vlan07 proto udp from (self) port = bootps to any port = bootpc keep state label "398a032de2b9975e894f335916afb87e"
pass in quick on vlan01 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vlan01 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vlan01 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vlan05 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "cdbcc11b796adf41fbef4eeaf8f2c60e"
pass in quick on vlan05 proto udp from any port = bootpc to (self) port = bootps keep state label "8816b0e3add9c6e0d76c49d2151bc95f"
pass out quick on vlan05 proto udp from (self) port = bootps to any port = bootpc keep state label "a026e0c2fe364a6cad34204149483f6d"
pass in quick on vlan02 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "0c17538b1b995ab50d22bba9de47b66f"
pass in quick on vlan02 proto udp from any port = bootpc to (self) port = bootps keep state label "b142ef4302cd5c25827ce9ec481441e1"
pass out quick on vlan02 proto udp from (self) port = bootps to any port = bootpc keep state label "6d6efb231238eb62b54fb2ed977cb43f"
pass in quick on vlan03 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "4db3295e7047cf30b38a8bd19b6afce9"
pass in quick on vlan03 proto udp from any port = bootpc to (self) port = bootps keep state label "a0895b11d5fdf07c530f097ce0e489c5"
pass out quick on vlan03 proto udp from (self) port = bootps to any port = bootpc keep state label "a5d9128a5eac4049942d7c8e415a9d48"


The rest I explained in the linked thread.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 25, 2024, 09:42:33 AM #3
Quote from: doktornotor on August 24, 2024, 11:34:22 AM
Put a quick allow rule above the generic block one?

I was thinking about this approach but wouldn't that mess up the Firewall \ Traffic ? Usually the block rules go first then allow rules last.

Quote from: Patrick M. Hausen on August 24, 2024, 11:44:16 AM
You already opened this exact thread a couple of days ago, right?

https://forum.opnsense.org/index.php?topic=42278.msg208676#msg208676

I could have sworn I answered your last question but my post seems nowhere to be found. DHCP is taken care of by automatic rules. It cannot be blocked by anything you configure in the UI.

See:
Code Select
root@opnsense:~ # pfctl -s all | grep bootp
pass in quick on vlan07 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "e21ba82e2787507de82efd16e930703c"
pass in quick on vlan07 proto udp from any port = bootpc to (self) port = bootps keep state label "55d713eb0d0abdc53fd028019175cd04"
pass out quick on vlan07 proto udp from (self) port = bootps to any port = bootpc keep state label "398a032de2b9975e894f335916afb87e"
pass in quick on vlan01 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vlan01 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vlan01 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vlan05 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "cdbcc11b796adf41fbef4eeaf8f2c60e"
pass in quick on vlan05 proto udp from any port = bootpc to (self) port = bootps keep state label "8816b0e3add9c6e0d76c49d2151bc95f"
pass out quick on vlan05 proto udp from (self) port = bootps to any port = bootpc keep state label "a026e0c2fe364a6cad34204149483f6d"
pass in quick on vlan02 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "0c17538b1b995ab50d22bba9de47b66f"
pass in quick on vlan02 proto udp from any port = bootpc to (self) port = bootps keep state label "b142ef4302cd5c25827ce9ec481441e1"
pass out quick on vlan02 proto udp from (self) port = bootps to any port = bootpc keep state label "6d6efb231238eb62b54fb2ed977cb43f"
pass in quick on vlan03 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "4db3295e7047cf30b38a8bd19b6afce9"
pass in quick on vlan03 proto udp from any port = bootpc to (self) port = bootps keep state label "a0895b11d5fdf07c530f097ce0e489c5"
pass out quick on vlan03 proto udp from (self) port = bootps to any port = bootpc keep state label "a5d9128a5eac4049942d7c8e415a9d48"


The rest I explained in the linked thread.

HTH,
Patrick

Yeah, I had the same thread open but since there was no reply I have opened this one. So, if DHCP can't be blocked by anything, how come when I did the Network Group Alias with all the VLANs on the list with the Block rule, I couldn't get IP assigned on my client device ? This seems a little bit confusing for me.
August 25, 2024, 10:12:56 AM #4
Why do you want to work with block rules? Everything is usually blocked unless allowed.  Maybe you can describe what you want to do and we can tell you what the best approach would be.
,,The S in IoT stands for Security!" :)
August 25, 2024, 12:53:24 PM #5 Last Edit: August 25, 2024, 01:45:26 PM by Patrick M. Hausen
Quote from: Spiky_Gladiator on August 25, 2024, 09:42:33 AM
So, if DHCP can't be blocked by anything, how come when I did the Network Group Alias with all the VLANs on the list with the Block rule, I couldn't get IP assigned on my client device ? This seems a little bit confusing for me.

I don't know. I would use tcpdump to investigate. I have the rules in place exactly as I showed to you and DHCP works just fine.

Now that I think of it, yes, network group aliases do come before indivdual interfaces, so it is well probable you did block DHCP. Best show the details of your block rules.

My "!Net4/6_Local" rules do work, because DHCP requests are not directed at the local network but at the broadcast address 255.255.255.255. Which is not caught and blocked by that inverted destination.

@Gauss23 they want to block VLANs from talking to each other but allow general Internet access. This is a common requirement.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 25, 2024, 01:40:45 PM #6
To accomplish this i don't need a block rule, do I?
On every vlan interface I would have a rule to allow access to non private addresses via the destination invert option. Did I miss something? I rarely had the need for a block rule.
Or do you work with floating rules to avoid having rules on every interface?
,,The S in IoT stands for Security!" :)
August 25, 2024, 01:43:33 PM #7
Quote from: Gauss23 on August 25, 2024, 01:40:45 PM
To accomplish this i don't need a block rule, do I?
On every vlan interface I would have a rule to allow access to non private addresses via the destination invert option. Did I miss something? I rarely had the need for a block rule.
Or do you work with floating rules to avoid having rules on every interface?
You did not miss anything. But destination invert is equivalent to "block destination", followed by "allow everything else", so essentially I would count that as a block rule.

I work with interface groups as can be seen from my screen shot here:

https://forum.opnsense.org/index.php?topic=42278.msg208676#msg208676
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions