Management VLAN Firewall Rules: First Custom Rule Set, a Few Questions

Started by Sinister Pisces, February 02, 2025, 09:44:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 02, 2025, 09:44:13 PM Last Edit: February 02, 2025, 09:58:20 PM by Sinister Pisces
Hello,

I just set up a management VLAN; the first VLAN and firewall rules I've ever done. I'm almost there, but I could really use a sanity check.

I've included a couple of screenshots. I'd really appreciate any advice on whether these rules actually do what I think they do. Thanks!

Goals

  • Allow access to DNS and NTP for all clients on the VLAN.
  • Allow access to OPNSense web UI and SSH on custom ports for all clients on the VLAN.
  • Do not interrupt hosts on the management VLAN's ability to talk to each other via standard HTTPS/HTTP.
  • Allow access only to internet (block all other VLANs).

Questions based on screenshots:

  • Do I also need allow rules for Destination: MGMT Address for default HTTPS/HTTP/SSH ports for devices actually on the management network (the firewall has a custom port; most clients use the defaults)? Right now, it's not obvious to me how non-OPNSense hosts on the management VLAN talk to anything on the Management VLAN using default HTTP/HTTPS/SSH ports.
  • If yes, should the custom HTTPS/SSH port rules for OPNSense be set to Destination:This Firewall, or Destination: IP address of the OPNSense firewall on this VLAN?
  • Thanks!

Current Custom Ruleset (Not Applied Yet)
CDN media

In the alternative, if the above is incorrect, I think I'd need two additional rules to allow traffic on the default HTTPS and SSH ports.
February 02, 2025, 10:41:29 PM #1
I looks all correct.

Quote from: Sinister Pisces on February 02, 2025, 09:44:13 PM
  • Do I also need allow rules for Destination: MGMT Address for default HTTPS/HTTP/SSH ports for devices actually on the management network (the firewall has a custom port; most clients use the defaults)?
For accessing OPNsense? No, since you use alternative ports, you don't need to allow access to standard ports.

On the internal lan interface OPNsense adds the "anti-lockout rule" for WebGUI and SSH automatically.
So if the Management subnet is the lan in fact, manual rules are not necessary for this.

QuoteRight now, it's not obvious to me how non-OPNSense hosts on the management VLAN talk to anything on the Management VLAN using default HTTP/HTTPS/SSH ports.[/
Devices within the same subnet?
Communication between them will not pass the router. So you cannot control this traffic on OPNsense and hence no rule needed.

Quote from: Sinister Pisces on February 02, 2025, 09:44:13 PM
  • If yes, should the custom HTTPS/SSH port rules for OPNSense be set to Destination:This Firewall, or Destination: IP address of the OPNSense firewall on this VLAN?
This firewall means any IP on the firewall. If using this alias you can also access the webGUI using the DMZ address for instance.
For the management subnet this will also be safe, but not necessarily needed.
February 02, 2025, 10:48:54 PM #2
Goal #3 has nothing to do with OPN. Machines on the VLAN can talk to each other directly.
This renders Q1 irrelevant.

Q2 is your choice (This Firewall = Set of Interface.Address across all interfaces).
What you have is sufficient IMO.

Unless you've set devices to query NTP on the interface GW (maybe via DHCP advanced option), the 2nd rule is probably not super useful.
Most devices will have internet-based defaults already allowed under the last rule.
February 02, 2025, 10:50:11 PM #3
Thanks! This is what I needed to know. :)

QuoteOn the internal lan interface OPNsense adds the "anti-lockout rule" for WebGUI and SSH automatically.
So if the Management subnet is the lan in fact, manual rules are not necessary for this.

I want to disable the anti-lockout rule and block access to OPNSense on anything else (the primary LAN interface and other VLANs). Only the management VLAN should be able to access OPNSense via SSH and HTTPS, which is why I wanted to make sure I had this right first.

QuoteDevices within the same subnet?
Communication between them will not pass the router. So you cannot control this traffic on OPNsense and hence no rule needed.

Yes, I wanted to make sure I wasn't going to screw up traffic within the management VLAN subnet. In-subnet traffic not passing the firewall is exactly the behavior I want, and how I thought it worked. Then I got paranoid.

So, that's why I also need the DNS and NTP rules, as well, right: because clients will touch the firewall/router for those services.
February 02, 2025, 10:57:05 PM #4
Quote from: Sinister Pisces on February 02, 2025, 10:50:11 PMI want to disable the anti-lockout rule and block access to OPNSense on anything else
Firewall: Settings: Advanced > Disable anti-lockout

Today at 12:17:27 AM #5
Quote from: viragomann on February 02, 2025, 10:57:05 PM
Quote from: Sinister Pisces on February 02, 2025, 10:50:11 PMI want to disable the anti-lockout rule and block access to OPNSense on anything else
Firewall: Settings: Advanced > Disable anti-lockout


Thanks! I'm about to try this.

I think I have my firewall rules configured correctly at this point. Time to find out.

(I took a snapshot, and no one else will notice if I temporarily lock myself out.)
Today at 12:54:17 AM #6
Hello, again.

So, I added the firewall rules to my management VLAN, and restricted the listening ports for SSH and the web GUI to the management VLAN.

No reboot.

Everything seems to be working: I have HTTPS and SSH access on the intended VLAN, and can't access it from other VLANs.

Except, I also can't access SSH or HTTPS via the primary LAN interface, even though I still haven't disabled the anti-lockout rule. What's going on there? My understanding was that the anti-lockout rule would keep the primary LAN interface available via the web and SSH in spite of my firewall rules, but that appears not to be the case.
Print
Go Up Pages1
User actions