Rule confusion between separate physical interfaces

Started by brigmaticlaw, November 21, 2025, 08:59:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 21, 2025, 08:59:17 PM
Hi everyone! I was hoping you may be able to point me in the right direction on this small obstacle I've been hitting.I am not at all ruling out gross ignorance here so please accept my apologies in advance.

I am attempting to have two physically separate networks both going through my OPNsense box. One is my main home network with several VLANS (Lab,  Main, Guest, etc) all trunked to my main switch on a 10Gbe NIC, ix0. The second is plugged into a 4 port NIC on em2 (em1 is WAN) and is intended to be an internet access only mini-LAN for all work-owned devices to connect to. This hardware is nothing more than a 5 port unmanaged switch connected to an older Linksys router set to Bridge Mode with a static IP and its own SSID.

Other than the auto-generated rules, the only rule I have on the "Work" interface is to allow internet. At first I thought the segmentation was working but I have discovered that is not actually the case. I tried setting a rule on the Work interface to block all outbound traffic from Work net to all other interfaces in my trusted network. However, using my work laptop connected hardwire and WiFi, I am still able to access all of my resources running on my Lab VLAN on the trusted network.

I also tried setting a rule on the Lab interface to block all incoming traffic from Work net but that also didn't seem to work.

It doesn't seem to matter whether I'm using the IP of the service or the local FQDN I have set up through Nginx Reverse Proxy Manager.

I feel like one of these rules should work but, again, I could just be incredibly ignorant.

Any ideas of what I'm doing wrong? I appreciate any direction you may be able to provide.
November 21, 2025, 09:29:45 PM #1
Usually, you will want an "in" rule like "allow any to any" for normal LANs and there is such a default rule for the first LAN.

However, this is generally too broad, because it allows access to any other (V)LAN when applied to all (V)LANs. The general recommendation is to use a "block any to RFC1918" rules before the "allow any to any" rule, with RFC1918 created as an alias for all RFC1918 ranges.

You can achieve the same effect if you deny access for specific destination interfaces.

Usually, you will have one or more (V)LANs that really have the permission to allow access to all other (V)LANs, like your main LAN or a Management VLAN. Only for those, you will not define a block rule.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions