Just trying to block a port [SOLVED]

Started by nocturno, October 04, 2024, 09:43:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 04, 2024, 09:43:16 PM Last Edit: October 05, 2024, 05:43:39 PM by nocturno
Hi, I have an iotnetwork vlan I add my NAS to this vlan just so I can make backups to home assistant but in this NAS I'm running docker with other services for example portainer that runs on port 9443 I try every single way to block it but it don't work. Here are my firewall rules. I already try different orders but nothing.

October 04, 2024, 11:36:45 PM #1
IMO, there's missing context here. iotnetwork is 10.1.20.0/24 ?
And 10.1.20.3 is your NAS?
Are you trying to prevent random clients in the vlan to access a server in the vlan?

Because that's not going to work. Your switches alone are going to handle that traffic. Such traffic is not going to reach the router, thus can't be blocked there.
October 05, 2024, 02:45:24 AM #2
Yes that's exactly what I'm trying to do client 10.1.20.x can't access the 10.1.20.3:9443. Do you know where can I blocked? Thank you
October 05, 2024, 04:20:09 PM #3
next time please put your pictures on this forum instead of external sites. Many people here can't/won't click on them. So you get quick help.
> Do you know where can I blocked? Thank you
Not in OPN. It doesn't see that traffic, so can't do anything about it.
Leaves you as the application or OS on source or destination to work with only.
OS level firewall or application allow/blocks, that sort of thing.
October 05, 2024, 04:58:31 PM #4
I'm trying a different approach. Remove the NAS form the iotnetwork vlan Thant way it need to go through OPNsense and in Opnsense open de Portainer port using the source iotnetwork (10.1.20.5) to the management network (10.1.1.3). I'm not sure if it's the best way but I will try it. Thank You
October 05, 2024, 05:27:17 PM #5
Yep, going traffic going from one network to another will go through the router. The you can apply a rule.
October 07, 2024, 06:30:57 PM #6
@nocturno, you probably want to step back and think about how you want to use VLAN isolation with regards to your clients and servers.
Putting them in different VLAN makes things easier for isolation but more difficult for discovery.
For example, it appears that some folks have HA running in a separate VLAN (not IOT).
It could be easier to deal with HA NAS setup across VLANs though.

Even if you'd kept everything in IOT (your original setup), as cookiemonster said, a simple FW rule on your NAS could have accomplished the task.
Some managed networking stacks (e.g. TP-link Omada and likely Ubiquiti Unifi) also allow that level of control at the switch level.
Print
Go Up Pages1
User actions