Basic firewall rule help

Started by Mattps, October 27, 2025, 12:37:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 27, 2025, 12:37:40 PM
Hi Forum,

I've just started using OPNSense at home and I'm having some issues getting some basic firewall rules working. I've watched some YouTube tutorials, taken the basic OPNSense training but am still struggling and can't see why.

My virtualised OPNSense appliance has 3 interfaces:

WAN
LAN110 - 192.168.10.1/24 (VLAN110)
LAN2 - 192.168.2.1/24 (VLAN2)

I can get both LAN and LAN2 networks to access the internet, but I am trying to stop the LAN2 network from accessing any devices on the LAN network.
I can only seem to open everything or block everything?

These are my rules so far:

LAN interface
My understanding is that this allows traffic from the LAN network out to the internet:
https://ibb.co/21t64Zrt


LAN2 interface
My aim was to block any traffic coming in on the LAN2 interface, from a LAN2 network address that was destined for the LAN110 network. The second rule is intended to all LAN2 network traffic out the internet:
https://ibb.co/h11Z8p8h

I don't have any WAN rules other than the auto generated, I don't have any floating rules.

Can anyone give me some pointers on where I am going wrong?

Thanks,
Matt
October 27, 2025, 12:42:48 PM #1
You need a rule on LAN2:

Source: any
Destination: LAN110 net
Action: deny

and place that before the rule allowing Internet access.

That's one way to do it. There are more. ;-)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 28, 2025, 03:03:38 AM #2
Are these phys ports per LAN, or .1q of two vlan's on one phy port? Curious to know about why the subnets have vlan ID's.
Mini-pc N150 i226v x520, FREEDOM
October 29, 2025, 06:29:11 PM #3
Thanks Patrick - I'll give that a go and test.

Hi BrandyWine. All three ports are virtual. I have an DSL ISP router connected to a L3 switch (switch1), which is also connected to the device on VLAN2. Switch1 si connected via LAG ports to a second L3 switch (switch2) on a different floor. Switch2 as two Proxmox hosts connected to it which is hosting 10 vlans and the OPNSense appliance. I am using the OPNSense appliance with the inline router to get multiple vlans out to the internet. This is just a PoC and now that I know it can work I will purchase a dedicated OPNSense box and move it to Switch1 to reduce network traffic and hops.
Today at 01:41:56 PM #4
Quote from: Patrick M. Hausen on October 27, 2025, 12:42:48 PMYou need a rule on LAN2:

Source: any
Destination: LAN110 net
Action: deny

and place that before the rule allowing Internet access.

Nope that didn't work I'm afraid, I now I am not able to get to the internet from any interface - I can't even PING the upstream gateway from the diagnostics section.

Can you suggest anything?

That's one way to do it. There are more. ;-)
Today at 01:59:22 PM #5
Please add a screen shot of the rule.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions