Guest WiFi - Dedicated VLAN - Best Practice Question

Started by Mario_Rossi, Today at 03:36:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:36:32 PM
Hi, I'm struggling with the VLAN for the guest WiFi. I've read the official guide https://docs.opnsense.org/manual/how-tos/guestnet.html, but I have a question.
Basically, a firewall blocks everything that isn't explicitly allowed.
If I understand correctly, the tutorial says to create a rule to block access to the VLANs we don't want guests to access, and then create an "any-any" rule. This configuration doesn't seem like best practice; I would expect one or a series of rules to allow only what's needed.

I should point out that by following the guide, devices connecting to the guest WiFi access the internet correctly and don't see objects on the LAN. However, I tried to configure it to only allow what's needed, but I couldn't.

I'll add some details about my network topology (very common) that might help understand what actually needs to be done to achieve this goal:

FTTH - ONT - Opnsense WAN - OPNsense - Opnsense LAN (multi-VLAN) - managed L3 switch - client + managed access point with VLAN support.
Default VLAN 1 (LAN): 192.168.1.0/24
VLAN2 (Wireguard LAN): 192.168.2.0/24
VLAN3 (Video Surveillance): 192.168.3.0/24
VLAN4 (IoT): 192.168.4.0/24
VLAN5 (Guest): 192.168.5.0/24
VLAN6 (Untrusted/Unfiltered Devices): 192.168.6.0/24
VLAN7 (Management): 192.168.7.0/24

Adguard Home is on my LAN. I have a firewall rule that allows all VLANs to reach the AGH CT on ports 53/443/853.
If I wanted VLAN5 to only reach AGH and the Internet, excluding everything else, how would I write the rule?
With the initial pass rule 53/443/853 to 192.168.1.x (AGH), I see traffic passing through VLAN5 and reaching the DNS server correctly. With other pass rules to the WAN, the most I can get is a Default deny/state violation rule.

I'm probably stuck on something I'm missing.
Today at 04:01:10 PM #1
Since "the Internet" is by definition "all public addresses in use" and hence "any" you need to allow access to "any" for guests to access the Internet. So you need to block your local networks explicitly.

Only what is needed is exactly "everything except the other local networks".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:17:42 PM #2 Last Edit: Today at 04:20:09 PM by nero355
Quote from: Mario_Rossi on Today at 03:36:32 PMDefault VLAN 1 (LAN): 192.168.1.0/24
VLAN2 (Wireguard LAN): 192.168.2.0/24
VLAN3 (Video Surveillance): 192.168.3.0/24
VLAN4 (IoT): 192.168.4.0/24
VLAN6 (Untrusted/Unfiltered Devices): 192.168.6.0/24
VLAN7 (Management): 192.168.7.0/24
- Put those in one Alias called "My_Networks" to avoid having to create multiple Firewall Rules that block each network.
- And then create a rule that's something like : Allow from Guest Network to !My_Networks
To allow Internet Access for VLAN5 (Guest): 192.168.5.0/24 in combination with your DNS Server rule.
- Also add one rule that Blocks direct contact with your OPNsense ofcourse.

/From the top of my head, did not check everything, but this should be pretty much it :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 04:59:47 PM #3
Um, okay, I'll think about it... it seemed more intuitive to make a "pass to WAN" rule, but what you're saying makes sense.

P.S. I switched from the old rule system to the new one, so I find myself having to fix several things that used to work and now don't.
Print
Go Up Pages1
User actions