What I think is a simple question, but I can't get a simple answer to

[coffeecup25]

Someone please help. This should be a simple question but, surprisingly, my searches found no concise answer.

My pc / router has a couple of empty ports. I want to add a 2nd subnet to one. It needs internet access but no contact with the main LAN. It's for IoT items, like thermostats and light bulbs. I'll plug a dedicated wireless access point into it.

I have figured out the interface assignment and the DHCP and it works fine. The Firewall is the problem. I figured how to isolate the IoT subnet from the LAN but I can't get internet access to the IoT interface. Google searches are absolutely useless for this simple question.

I gave up trial and error after an OpnSense backup was needed to fix my firewall mistakes.

Google AI is incomplete with the firewall entries and often wrong when it offers advice. Lots of videos drone on never to the point and too vague in the early parts for me to watch to see if the end is just as pointless. Then people confuse subnets with VLANs. (I have a VLAN using a TP-LINK smart switch for isolation and discovered the switch is too unstable to depend on. Thus, the subnet approach.) I'm old enough to remember when YouTube videos were like taking a seminar, and not pointless vanity projects like today.

Can someone offer a simple cookbook recipe for this? Nobody else has, surprisingly.

Thanks in advance.

[passeri]

Create the interface as usual. It will have no access to anything.
Create an alias for RFC1918 addresses, call it something like "private_nets" or "rfc1918"
Create an Allow rule where source is your IoT port address and destination is private_nets with Destination/Invert ticked.

Other rules are possible. The above will give your IoT devices internet access without them access to anything local. It is all in one rule, not separate as you seem to imply.

[coffeecup25]

Thank you. I will try it tomorrow.

Why in the world do so many people have so much trouble coming to the point? 
--------------------------
edit: I found an internet video that corresponded to your information. The RFC1918 part is not intuitive, especially since it appears to be for internet access. Now that I know what to look for and can knowingly ignore the nonsense, I have a few good references now.
--------------------------
Someone should write down the top to bottom recipe, then post it here prominently.  I'm essentially trying to build an isolated guest network. Nothing fancy.

The RFC1918 part is new. I saw the phrase along with a need for an alias somewhere in one search, but it was mixed in with a lot of other stuff.

[cookiemonster]

Just a way of doing it and probably why no "ready made recipe". There are many ways, and endless options and requirements. You can garner some of this by looking at the documentation https://docs.opnsense.org/manual/firewall.html

"I'm essentially trying to build an isolated guest network. Nothing fancy."

yes but then you have a specific (as expected) setup

"My pc / router has a couple of empty ports. I want to add a 2nd subnet to one. It needs internet access but no contact with the main LAN."

So now imagine the basic setup recipe would have to cater for this requirement, but not for one with no internet access, or with access to the main LAN. Now you see this basic setup has at least 4 permutations. Then that applies only if using a spare port on the firewall.

Back to your question.
There is no way to create if-then logic in a rule, so you have to create that logic.
One way is to create one rule to allow out to all (*) so that it gets to "the internet". Then you need a separate rule to limit the all (*) from reaching your main LAN (a block rule).
This is one way of doing it. Due to ordering, you would put the block rule above the allow all:
Alternatively as passeri says, you can do it in a combination with the use of aliases.

[passeri]

Yes, there are certainly other ways of doing it. The one I selected holds to my "allow required then block by default" policy even though logically these can be reversed into "block unwanted then allow the rest". As coffeecup25 notes, there is already an inversion in my rule by saying in effect "the WAN is not this group" so whether one is really saying allow-block or block-allow becomes moot. It is more important to hold a single [sense of your] logical model so that you can spot errors in your own rules more easily.

[coffeecup25]

cookiemonster,

Thanks for taking the time to reply. I think you missed my point. I want to use a spare router port for an isolated guest network for IoT devices that need internet access. That's a pretty well defined objective with no permutations.

A cookbook recipe is not if / then. Look at a Betty Crocker book for more examples.

I would not be surprised to see other firewall rules that accomplish the same objective (IoT isolated from LAN and Internet Access for IoT). Reading the OPNsense manual is not helpful at my level of understanding for this. Clearly written examples are.

I would like to know more about the inverted aspect as that is opaque.

If there are different rules that would do the same thing, I suspect lots of people other than me would like to see them.

Thanks for answering.

[meyergru]

Sigh. Another one with great expectations, but this time, different ones.

Usually, people come in here and expect OpnSense to be a ready-made product for home users like a Fritzbox, only with more features / possibilities. That, it is not. It is a complex product for network professionals who can do a lot of things with it, that they never could with more limited consumer-grade products.

You, in contrast, even seem to expect a recipe for your specific situation. Matter-of-fact, this ain't possible, because in order to not dissapoint anyone with the same mindset, there would have to be a recipe for any specific situation, which cannot exist for obvious reasons.

While there are guides in the tutorial section for some often found situations, they are mostly meant as an idea pool for more specific, individual  setups. So - there can (and there should) be "if / thens".

BTW: Relying solely on those tutorials as "step-by-step" guides would be a risk: If your specific setup deviates only a slight bit, it would not work or - because OpnSense is a security product - be unsafe. So, network knowledge is a must, you will have to do your own thinking and your expectations are probably too high.

Or, as Patrick would put it: "You are holding it wrong."

[coffeecup25]

meyergru,

Knock it off. You weren't born with the know how to even install OPNsense from a USB drive, let alone configure a 2nd subnet using a spare router port. Simple questions like the one I asked ALWAYS seems to bring weirdos out of the woodwork who won't play nice. Are you offended by my comments about a lot of YouTube videos now being useless vanity projects rather than helpful seminars like they seemed to be by the barrel full a decade or so ago? Your reply fits in well with the current approach to video making. People like you make forums like this a risk to even waste time on.
 
I stopped using pfSense because even simpler questions brought out even more obnoxious weirdos in their forum. OPNsense is OK, but I figured out how to load Adguard Home in pfSense in the background, using a very helpful internet article. In fact, I'm using my pfSense router to now experiment with the 2nd subnet so I can mess up with less downside. Maybe I'll change over again once it works.

I have a 'business class' Asus wireless router on order for hobby purposes. It has a ton of features not normally included in your typical retail router. Adguard home is also installed on a couple of 24/7 home servers. It's not as powerful as OPNsense but my needs are simple. And I will be able to remove a pc / router and 2 access points if it does the job. You make me want to really make it work.

I know weirdos like you take pride in getting a rise out of people and even chasing them away. Good for you. People like you make places like this of dubious value. Have you ever driven through the southwest in the countryside and seen a cow standing on a large pile of you know what? Quite a metaphor.

[cookiemonster]

I will write it better shortly :)

[meyergru]

That is quite an attitude you are presenting here.

When you say things like:

    "Google is useless for this."

    "YouTube is just vanity projects."

    "Why doesn't someone just write this down already?"

...it alienates volunteers who are freely giving their time to help. It implies they are not doing enough or that your problem is so obvious that only negligence explains the lack of a universal recipe, which is not the case as I tried to explain.

Technical forums function on mutual respect, humility, and collaborative troubleshooting – not on consumer-facing service expectations. If you require ready-made solutions without investing time to understand the concepts, a paid consultancy may be a better fit. Even then, no service includes a right to insult people as "weirdos" for helping you.

I am not falling for this framing. Your cooperation will always yield better results here.

[cookiemonster]

@coffeecup25 you will find this is a very friendly place. Ok, it doesn't seem that way right now, but it is.
What you've experienced is that making a couple of snipy statements that will get some tails up.
But meyergru has written it already.

One way as I said is stop to neighbour network and then allow all out. Traffic will be evaluated and if going to "LAN net" in my example case, it will stop and not evaluate further rules.
If traffic is not going there, it will hit the last, "allow all out" i.e. internet.

Edit: Removing the attachment. Why? This guy's attitude makes it extremely hard to want to help.

Suggestion. Statements like:
"Can someone offer a simple cookbook recipe for this? Nobody else has, surprisingly."
"Why in the world do so many people have so much trouble coming to the point?  "
when you are trying something new, in a new place.. not necessary ;)

You're walking thirsty wanting to ask for a free glass of water in a shop, and you start by telling the workers that you've looked everywhere and couldn't find it anywhere, why has nobody made it easy to just get that free glass of water for anyone passing along.

[coffeecup25]

passeri,

Thanks. I got it working on my pfSense router that I used as a lab as mentioned above. It did not work at first. Then I did what nobody mentioned except one video as an afterthought - I entered some dns servers on the dhcp page for IoT. Fired right up to the internet. Apparently the default won't allow the main router DNS to get through if Adguard Home has control, or maybe at all. I don't know.  Which is fine because I don't care if my thermostat is inundated with ads and trackers.

I figured out the inverted aspects now. Clever approach.

Now that the internet is working on it, I can play around with a couple of other ideas I have for configuration. I'll do it after I move it to my OPNsense router.

Thanks again.

Other guys, Is there some rule you people follow that prevents you from getting along like normal people? I  especially like how you invert yourselves into victims as you attack me.

[Patrick M. Hausen]

I recommend a visit to the AITA reddit and serious adjustment of your attitude, dude.

[coffeecup25]

I recommend a visit to the AITA reddit and serious adjustment of your attitude, dude.

AITA?  Probably so, but only from your perspective. From my perspective, the Other Guys fit that description perfectly. I asked a simple question with a little flourish about my frustration with how useless the internet can be with everyone trying to be a star without a clue about how to communicate effectively. That question brought out the weirdos who hate simple questions. Out come the angry victims who don't try to stay on point but blather angrily off point and misunderstand the point of the original post. I simply decided that, today, enough is enough.

[opnsenseuser8473]

To be honest yes. People shouldn't expect just professionals to use this product, as many people are trying to deeply secure there internet. The term "elitist" mind set gets tossed around online. To be honest this is a online foremn. Where a lot of people ask questions. No one is a genius. People do dumb things. Encourage learning don't discredit. As a math tutor i learned explain to them as if they know nothing and building from the ground up helps.