LAN/LAN isolation behind OPNSense

Started by tdalej, January 01, 2025, 06:45:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 01, 2025, 06:45:32 PM
This is a really dumb/simple setup and I know the answer is somewhere in these forums or the docs, and I have spent several days looking ...
I can't find anything that addresses this specific question so here I go ...

I have an OPNSense device with 6 interfaces - 1 WAN, 5 LANs.
Each LAN is it's own 192.168.n.0/24 subnet.
Each LAN has it's own DNS overrides in unbound, and each has ISC DHCP4 server configured with a single pool with in it's subnet and a range of static leases assigned outside the dynamic pools.

LANs are:
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24

I'm not using any IPV6, VLANs or VPNs at present to keep this simple.


As I added each new subnet after initial WAN/LAN set up, I duplicated the LAN Any to Any rules to each new subnet.
On each subnet I can do fwd/rev lookups of any device on any other LAN.
It appears I have general access across all LANs (as expected) with the any-to-any rules in place.

I need to configure rules to isolate some subnets to only have access to the WAN.
Some subnets need access to the other not-isolated subnets.

For each subnet that should be blocked, firewall rules for each interface should be added above the allow any rule to that block both inbound and outbound from the other subnets, correct?

For example -- if I add on the 50.0/0 interface block in and block out rules for the net address of the 10.0/0, 20.0/0, 30.0/0 and 40.0/0 subnets  -- will effectively block all traffic in and out from those networks, or do I need to have inbound blocked on the .50.0/0 interface and outbound to the .50.0/0 on all other interfaces?

Is there a simpler way to do this in floating rules and I'm just over-complicating this?
In addition to the any-to-any rules on the LANs  - other than the "automatically generated rules" (which vary in number for some reason on the different LANs) is there any other basic think I'm missing?

I also need to restrict access to the opnsense appliance itself from the WAN and certain LANs.
Is there a setting in the GUI or is that done via firewall rules?
January 01, 2025, 06:53:32 PM #1
- create a firewall alias named e.g. "local networks" containing 192.168.10.0/24, 192.168.20.0/24 etc.
- change the "any to any" rules to "any to ! local networks" - that is place the alias in the destination field and check "destination invert".

This way access is granted to the Internet but not to other LANs.

You might need some extra rules allowing access to "this firewall, UDP & TCP, port 53" for example, to make DNS work. But the above is essentially how it is supposed to be done with minimal extra effort.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 01, 2025, 06:58:16 PM #2
Thank you!!!

January 01, 2025, 07:17:46 PM #3
Alias should look like this?

    "alias": {
      "de9e2fdc-8240-44e6-acd2-a7d1551cc244": {
        "enabled": "1",
        "name": "Opt4_Isolation_Alias",
        "type": "network",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "__lan_network\n__opt1_network\n__opt2_network\n__opt3_network",
        "categories": "",
        "description": "Alias group to isolate the Opt4 network"
      },
January 01, 2025, 07:21:47 PM #4
Include OPT4 and you can use the same alias for all interfaces. Then you need an additional rule for DNS as I mentioned. Or go with your version, but then you need separate aliases for each isolated network. As you prefer.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 01, 2025, 10:54:57 PM #5
Example:
You cannot view this attachment.

Don't worry about including the OPT4 subnet in the alias. All traffic within the subnet does not enter the firewall.
So you can reuse the same alias for all interfaces.
January 01, 2025, 10:56:51 PM #6
Quote from: EricPerl on January 01, 2025, 10:54:57 PMDon't worry about including the OPT4 subnet in the alias. All traffic within the subnet does not enter the firewall.
So you can reuse the same alias for all interfaces.

Except for DNS requests (or NTP, or SMTP, ...) directed at the firewall interface address in the OPT4 subnet. You need an additional rule to allow these.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 02, 2025, 07:08:35 AM #7
Fair, although I think it's pretty obvious that traffic destined at the firewall itself enters it. I could nonetheless have been more precise.
Print
Go Up Pages1
User actions