Blocking/Allowing InterInterface Traffic

[t84a]

I have 5 Interfaces
LAN 1 Private
LAN 2 Home
LAN 3 Cameras
PORT 4 Null
WAN 1
Wan 2

I want to block traffic from LANs 2 and 3 to the other LANs.  Is this the default?

I want to allow traffic from LAN 1 to the other LANs. I think Eric already answered this.

Thanks

[viragomann]

Out of the box, OPNsense only allows access to any on LAN (the internal LAN). On all other interfaces you need to add pass rules to allow traffic by yourself.
If you have added a pass rule to allow internet access (destination: any) this also allow access to the other subnets. The you need to block access to internal subnets with a block rule above of this.

Remember that the firewall rules are probed from the top to the bottom. If one matches it is applied and rules below are ignored then.

Best practice to block access to all local subnets is o create an alias with all RFC 1918 network ranges included, and use it in the block rule.
However, since this also will block possibly desired access to e.g. DNS or NTP on the interface IP, you need to add a pass rule for these services and put it above of the block RFC 1918 rule.

With a RFC 1918 alias your block rule will still be save if you change a subnet or add one in the future.

[EricPerl]

You don't really need block rules if you allow more carefully. Here's my default set on my TEST interface:
You cannot view this attachment.

You don't have to include all RFC1918 networks, just the ones you use (or plan to use).
Other appropriate names for the alias are "my_networks" or "private_networks".

The first rule allows access to anything but these private networks.
The second rule is added to allow access to DNS at the gateway for that network.

More granular inter-VLAN traffic can be allowed with more rules.

[t84a]

I'm still struggling with this. I set up the Private Network rule just as posted for LAN2 and I lost Internet and my smart devices went offline. What am I missing?

[meyergru]

Maybe a dumb question to ask, but you did not specify how you configured your interfaces: Are LAN 1-3 bridged (and if so: correctly?) or are those different/disjoint subnets (i.e. "physical" VLANs)?

If they are "VLANs", each with a different subnet, you first have to create an "allow" all rule for them, because it will only be present fpr the first LAN. That way, you get internet access, but also access to any other (V)LAN. On the "low privilege" VLANs, you will have to insert a block rule with a target of the RFC1918 alias preceeding the "allow all" rule. This way, such a VLAN will not have access to any RFC1918 network - thus, your other VLANs.

[t84a]

Maybe a dumb question to ask, but you did not specify how you configured your interfaces: Are LAN 1-3 bridged (and if so: correctly?) or are those different/disjoint subnets (i.e. "physical" VLANs)?

If they are "VLANs", each with a different subnet, you first have to create an "allow" all rule for them, because it will only be present fpr the first LAN. That way, you get internet access, but also access to any other (V)LAN. On the "low privilege" VLANs, you will have to insert a block rule with a target of the RFC1918 alias preceeding the "allow all" rule. This way, such a VLAN will not have access to any RFC1918 network - thus, your other VLANs.

Fantastic question.  I did not bridge my LANs.  They are not VLANs.

[meyergru]

I know that they are not VLANs, that is why I said "physical" VLANs. I subsume with that all (V)LAN interfaces that are set up correctly with non-overlapping RFC1918 IP ranges.

What I want to rule out is that you tried to configure all interfaces equally like some newbies then wondering why nothing works. So, if you have different subnets on your LANs like described here, you only have to do it as I explained above. If that does not work, show your interface configurations and your firewall rules.

[EricPerl]

The primary troubleshooting tool is the FW live view. Filter down to an interface or source or destination based on what you are trying to do.
Check that the live view matches your expectations.
If you have issues interpreting the displayed info, screenshot it.

Of course, the above is predicated on logging being enabled on the rules (and in FW settings for some of the default rules).

Alias content:
You cannot view this attachment.

[t84a]

I know that they are not VLANs, that is why I said "physical" VLANs. I subsume with that all (V)LAN interfaces that are set up correctly with non-overlapping RFC1918 IP ranges.

What I want to rule out is that you tried to configure all interfaces equally like some newbies then wondering why nothing works. So, if you have different subnets on your LANs like described here, you only have to do it as I explained above. If that does not work, show your interface configurations and your firewall rules.

Sorry, I meant that I do not use VLANS.  I originally set up all the interfaces to have this rule.  I had no problems but I don't think that I am preventing LAN2 and LAN3 from accessing LAN1 or each other. 

I'll have to work on this: "Do not use 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.88.0/24, 192.168.100.0/24 or 192.168.178.0/24 for your (V)LAN subnets."

Thanks

[t84a]

The primary troubleshooting tool is the FW live view. Filter down to an interface or source or destination based on what you are trying to do.
Check that the live view matches your expectations.
If you have issues interpreting the displayed info, screenshot it.

Of course, the above is predicated on logging being enabled on the rules (and in FW settings for some of the default rules).

Alias content:
You cannot view this attachment.

Blocking a camera in my crawlspace:

[meyergru]

That fw block may be due to state violations or because you have no outbound NAT. Judging from the varying destination ports with always the same source port, this looks like return traffic. Have you tried connecting anything else to that network and to make outbound internet connections, say, HTTP traffic?

[t84a]

That fw block may be due to state violations or because you have no outbound NAT. Judging from the varying destination ports with always the same source port, this looks like return traffic. Have you tried connecting anything else to that network and to make outbound internet connections, say, HTTP traffic?

When I connect using my phone. Port 3

[meyergru]

So it seems any outbound traffic gets blocked. Of course, the blocked traffic would not be allowed be the actual fw rule you presented, because it is for another interface. You did set up outbound NAT and you got the part about non-overlapping RFC1918 ranges?

It sure looks like you did the NAT and firewall rules correct, so it must be something that would be obvious, but you did not set up.

[t84a]

So it seems any outbound traffic gets blocked. Of course, the blocked traffic would not be allowed be the actual fw rule you presented, because it is for another interface. You did set up outbound NAT?

[meyergru]

Do the clients get their IPs and netmasks plus DNS server via DHCP? Your phone being connected via WiFi does not show if it has an IP/netmask or if it can resolve DNS.