If you allow WIFI to access 192.168.1.1 (even if implicitly by allowing all) it will be able to access 192.168.1.1 just fine. That's one of the reasons why this only-bind-to-interfaces-is-more-secure is a myth. The firewall does the job if set up right. Nothing else will.Cheers,Franco
If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)
OPNsense gives you the preset alias "This firewall" to block access to the GUI on all its IPs and similar purposes.You can use it in floating rules or in interface group rules to cover all sources with only a single rule.
Quote from: chemlud on November 22, 2024, 03:21:37 pmIf I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)Well... I have a lots of different subnets. And for some clients the traffic is surely allowed to reach the LAN, depending on the use case of the VLAN/Subnet. But I was still surpised, that its just routed. Like already mentioned, this is a OPNsense design then. Because with any enterprise FW you do not have this behavior. For a good reason.But maybe an additional Help-Text would be good to make this clear."Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care." This is definitely not that clear. At least not to me. Because the initial connection was not coming from the LAN interface ingress. If you know this behavior, sure its clear then.
If you allow HTTPS to any, I see no good reason why this should not include any random LAN/VLAN in your setup. It might be "surprising", but it's absolutly covered by the general rules of logic ;-)