Isolate clients from a network

[Robertomcat]

Hello, good morning.

I currently have three physically segmented networks: Wi-Fi, LAN, and MQL. All devices within the LAN and Wi-Fi have access to MQL, and I've created a rule for the MQL network to not have access to other networks.

But when I try to create a rule to prevent devices within MQL from communicating with each other within the same network, the devices are unable to access web pages, but they can ping DNS servers and services.

This is the rule, and I have it before the Internet outbound rule. What procedure am I doing wrong?

Action: Block
Interface: MQL
Direction: in
Source: MQL net
Destination: MQL net

[patient0]

Can you post the full ruleset for MQL net?

In general, devices on the same network can directly access each other. The traffic won't pass through the router and therefore your rule won't prevent the devices on the same network to talk to eath other.

Is the client DNS set to the MQL router IP? I would assume that the clients can't resolve anything with that rules, since access to the DNS is blocked.

[Robertomcat]

Can you post the full ruleset for MQL net?

This rule prevents access to 192.168.1.0/24 - 192.168.2.0/24 - 192.168.18.0/24 from the MQL network:
Action: Block
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: "aliases"


And this other rule grants Internet access:
Action: pass
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: any

I only have these two rules. The others are the ones OPNsense uses by default, plus the ones CrowdSec created, but those are all hidden in the drop-down menu.

[BrandyWine]

When would any packets destined to host on the local network ever get to the FW? Never. You can run a host-based FW ruleset to stop the hosts from being able to talk to each other.

There's also a "trick" where you use .1q between FW and a large # port switch, where each host is in it's own vlan ID (one switch port per ID), thus the only way two hosts can talk to each other would be to ride .1q to FW and then back to switch, but you would apply FW rules accordingly. Not 100% this would work with OPNsense.

[patient0]

I only have these two rules.

What about the other questions of mine? As I wrote, your clients won't be able to resolve any DNS request if the DNS is set to a MQL network IP.

[Robertomcat]

There's also a "trick" where you use .1q between FW and a large # port switch, where each host is in it's own vlan ID (one switch port per ID), thus the only way two hosts can talk to each other would be to ride .1q to FW and then back to switch, but you would apply FW rules accordingly. Not 100% this would work with OPNsense.

I don't think I quite understand what you're referring to, because my knowledge of the vastness of OPNsense is pretty basic. My needs aren't very demanding, so I only have basic security settings, like Unbond DNS Blocklist and CrowdSec (CrowdSec doesn't require any further configuration with the basic installation, right?). Thanks!

What about the other questions of mine? As I wrote, your clients won't be able to resolve any DNS request if the DNS is set to a MQL network IP.

Yes, OPNsense itself resolves DNS requests. I previously had external DNS servers, but reading posts here on the forum, I found the most private and secure way was the default OPNsense configuration. Thank you for your answers!

https://forum.opnsense.org/index.php?topic=39119.msg191611#msg191611

[BrandyWine]

I don't think I quite understand what you're referring to, because my knowledge of the vastness of OPNsense is pretty basic. My needs aren't very demanding, so I only have basic security settings, like Unbond DNS Blocklist and CrowdSec (CrowdSec doesn't require any further configuration with the basic installation, right?). Thanks!

If each host is in it's own layer-2 vlan then they become isolated from the other hosts, even if they all have same IP subnet.

What's the need to keep hosts on one network from talking to each other directly?

[pfry]

[...]Not 100% this would work with OPNsense.

I use that method (switch as port expander via VLANs). I use bridges on the firewall to limit rulesets. The only downsides I recall offhand are limitations in netflow port statistics (bridge stats are OK; port stats are mostly unavailable) and potential ARP issues (an unlimited ARP responder can mess you up).

Quick edit: The "Firewall: Log Files: Live View" is a great way to troubleshoot rulesets.

[patient0]

Yes, OPNsense itself resolves DNS requests. I previously had external DNS servers, but reading posts here on the forum, I found the most private and secure way was the default OPNsense configuration. Thank you for your answers!

Since the OPNsense IP is part of the 'MQL net' you need to add a rule for DNS. And you can make one rule out of the two you have:

# Allow clients to access router for DNS queries
Action: pass
Interface: MQL
Direction: in
Protocol: udp, port 53
Source: MQL net
Destination: MQL address

# Allow access to everything except 192.168.1.0/24 - 192.168.2.0/24 - 192.168.18.0/24 from the MQL network:
Action: pass
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: ! (not) "aliases"

[Robertomcat]

Hello, good morning. Is this DNS access rule you've set up for me to be added after the rule I included in my first post?

# Allow clients to access router for DNS queries
Action: pass
Interface: MQL
Direction: in
Protocol: udp, port 53
Source: MQL net
Destination: MQL address

This rule is already created, but I named it "alias" because the original name of the alias that blocks access to the three networks is: "Bloqueig_de_MQL5_a_LANs", which is written in Catalan.

# Allow access to everything except 192.168.1.0/24 - 192.168.2.0/24 - 192.168.18.0/24 from the MQL network:
Action: pass
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: ! (not) "aliases"

[Robertomcat]

This would be the current configuration, but I haven't tested it yet to prevent the computers from losing Internet.

[patient0]

This would be the current configuration, but I haven't tested it yet to prevent the computers from losing Internet.

As mentioned, you can consolitate the first and last rule into the one I wrote (a pass rule with destination everything-except-the-alias-network), but you don't have to. And the DNS would come before your block-the-aliases.

Per default the rules are first-match: the first rule that is matching is executed and no further rules are evaluated.

but I haven't tested it yet to prevent the computers from losing Internet

If your computer on MQL can access the internet, including DNS, then don't change anything.

[Robertomcat]

As mentioned, you can consolitate the first and last rule into the one I wrote (a pass rule with destination everything-except-the-alias-network), but you don't have to. And the DNS would come before your block-the-aliases.

I've tested the rules you wrote for me, disabled my rule, and the order is now as follows: Access DNS > Client Isolation > Internet Access
With these three rules, all computers have Internet access, but they also have access to other LANs, and can also communicate with each other via remote desktop (for example).
I'm sure I didn't do the rule correctly. Do you see everything as correct?

[patient0]

Then leave your two rules as they are just add the DNS before the two. I may have confused you with mine.