I just installed OPNsense on two Proxmox servers and got HA running. Now I wanted to get my WIFI router connected into OPNsense on a separate network so the Guest SSID only goes out to the internet. I found this video which is going to really help me get started plus help me learn about firewall rules which I'm really new at creating. Thanks you for investing the time to creat this video.
Thanks! Haha. I thought I would show some bloopers where I had to troubleshoot while filming. Even though I’ve worked with OPNsense for a while, I still mess up!
Thanks! I have another firewall rule one coming up soon. Going to discuss floating rules, firewall group rules, and interface rules and when you may want to use each type (especially the first 2 types because there are subtle differences).
@@homenetworkguy if I could make a suggestion, maybe use the cicada theme? It's a dark theme and faster than the rebellion theme. Besides my retinas will thank you. 😎
Someone else mentioned that the dark theme gets more views so I think I'm going to have to switch to the dark side since dark mode is more preferred these days. I already started another video that's not in dark mode but I can change after that one.
Awesome video! I think a good follow up video would be on plugins like mDNS Repeater and/or UDP Broadcast Relay to enable devices like smartphones to cast audio/video on IoT devices
Thanks! I have another firewall rule video coming up which I think will be helpful as well. I use MDNS on my network mostly to share my printer across networks so it can be discoverable. The plugin configuration is pretty simple but it has to be combined with firewall rules so there could be some usefulness of such a video. I have noticed that the MDNS plugin in OPNsense doesn't work for all types of multicast traffic (perhaps it is hardcoded to only repeat certain multicast addresses and not others). Ideally I try to keep traffic which needs to communicate with protocols such as Bonjour/Ahavi on the same network to keep things simple. Fortunately most of those devices are IOT (or close enough to be IOT) devices so I don't mind them being on the same network anyway. Ultimately, even though I want increased security on my network and do have some things locked down tighter, I also need my network to "just work". haha. If my network is so locked down that it's not usable, my end users (aka my family) will not be happy. I also don't want to spend too much time troubleshooting things when I could be doing other more constructive things like create content on UA-cam!
Thank you for the excellent video, it helped me solve a situation with a team. Continue uploading videos, you can also recommend what equipment to buy.
Nice! Glad you found it helpful. I do have some hardware related videos of some devices I’ve tried and tested. I’m going to be checking out some more Grandstream networking equipment within the next month or so, for example.
Really great video - thanks have used this to start segregating my network. I followed this video to the letter and if you apply the "Destination Invert / Private Networks onto your outband LAN rule then you prevent the LAN traffic from being able to see the guest traffic in both directions
Thanks! Glad you found it helpful. I’m not sure what you mean about applying the rule outbound on the LAN interface. Using the direction of “in” is sufficient because any traffic entering into the LAN interface can be blocked with “in” rules. If you block access to other networks with “in” direction rules (which is the default), you won’t have access to any of the traffic on other networks. Using the direction of “out” for rules is less efficient and should only be used in a few cases (such as blocking outbound WAN traffic). Not sure if you were referring to the direction of the rules but thought I would mention it.
@@homenetworkguy the default allow all rule on your LAN interface (which I called outbound) still allows you to send traffic from LAN to Guest. I applied your Destination Invert / Private Networks logic to this default rule to ensure both the LAN and guest a segmented. IE you can ping portscan from LAN to guest
Ohh I quickly glanced at my video. You’re saying I changed the GUEST network rules but not the LAN network rules so it has access to all local networks since it has an allow all rule? I was focused on just isolating a single network probably so I could demonstrate the different ways you can implement the rules. I definitely mess up in my videos. Haha. Unlike written content, I can’t go back and fix it without making another video.
Really helpful video. One thing I noticed is that you don´t have to put other rules between the two. The internet rule doesn´t block anything because the action is "Pass". So you can put other rules at the end if you want to.
Ohh yeah.. that’s a good point. I used to have the block all private IPs rule at the bottom instead of combining it into the “allow internet but block private IP” rule using the destination invert so it’s just a bad habit now to keep it at the bottom. I didn’t think about the fact the order doesn’t matter as much because of that fact. Thanks for pointing that out! Sometimes I need those details brought to my attention because my mind gets stuck on other thoughts, haha.
Allowing ping to just the gateway IP of the subnet that your machine is on is a good idea to allow you to verify that your device is indeed connected. If a machine is assigned an IP, the gateway has to be assigned anyways, so allowing ping to that IP is not giving away any information that is not already given. Highly useful if you are on wi-fi. Allowing ping to other devices on the same network, or to other gateway IP's, or to other gateway devices is a choice that one would need to make... As it's possible to enable and disable rules quite easily, it's possible to create the allowed rule, and then enable those rules depending upon whether you are troubleshooting at the moment or not.
Trying to Isolate my networks but its not working. I have Vlan 100 and Vlan 200. I am tryin gto prevent anything on VLAN100 to access anything on VLAN 200. I created a block rule from VLan 100 to VLAN 200 ....under VLAN100 interface (in rule) I followed your video but its not working.
Do you have your block rule above any other allow rules? The order of the rules is important. Make sure you leave the rule at the default direction of “in” even though it sounds like “out” is the appropriate option.
@@YellowstoneCommie I would probably have to see the rules to identify the issue. There are a couple of ways you can go about blocking traffic via firewall rules. Order matters as well as other firewall rule options.
Why do you still need the blocking rule since you already created the VLAN? isn't that is the function of VLAN to separate or so-called isolate out the network? I am confused now...🙂🙂🙂
@@jeffreyooi1971 when you create rules to allow traffic to other VLANs, the router will happily allow traffic between the networks. That is the job of a router. Firewall rules are needed to restrict or allow access between the networks. Soon as you create an ‘allow all traffic’ type of rule you will need to create a block rule to restrict access to other networks while allowing access to the Internet for example. You can achieve this different ways as I show in the video. VLANs operate at Layer 2 while routers are operating at Layer 3.
Thanks for the great content Dustin! I have a question about isolating network within the VMs in same Linux Bridge. If we use Proxmox VMs or containers in same Linux Bridge with same VLAN ID, they don't communicate with their gateway (OPNsense VLAN interface IP) when they need to connect each other. So the firewall rules are not applied for them if we want to block access between them. Is there any way to manage their internal network with the firewall rules while they're in same VLAN? I would like to create isolated VMs without creating new VLAN + network configuration for each on OPNsense, if possible.
You are correct. Any device on the same network/VLAN will be able to communicate freely since that is how networks were designed to function. If you want to limit further access there are a couple of options: 1. Use a firewall on each host. For example on some Linux distributions such as Ubuntu, you can make use of ufw firewall to limit access by creating firewall rules on the system. I do this in addition to firewall rules on OPNsense to have multiple layers of security (defense in depth). 2. You can create VLANs inside VLANs. They are sometimes called private VLANs or Q-in-Q VLAN tunnels/stacking. I haven’t tried it but this would require additional switch and OPNsense configuration which is not what you’re looking for. 3. For physical clients on the network that are wired to your network switch, you can make use of port isolation which allows you to limit which ports a particular port isolation allowed to communicate with. You basically only allow the port of the client device to communicate with the trunk port connected to OPNsense which effectively means the device cannot communicate with other devices within the same network. The traffic is blocked at Layer 2 (I believe) by the network switch.
Bogons are public IP addresses that are reserved for special purposes and should not be used which is why they are blocked on the WAN interface by default. To isolate networks on your internal networks, you only have to worry about the private IP address ranges (for IPv4).
Hello, this doesn't seem to work for me. I got a opnsense running on proxmox mini pc with two ethernet, one for wan one for lan and all my vlan have lan as parent. When I set up those rules, I lose access to the internet. Here is my topology: FAI edge router -> opnsense wan -> opnsense lan -> L2 switch -> VM in vlan tagged, that loose access to the internet. My best guest is that it loose internet access because the lan is relaying that, and we juste cut that off. How would you go in scenario like this to seggregate the lan from the vlan without loosing internet access?
Hmm it’s hard to say without looking at the details of your config. I isolate VLANs on my main OPNsense box as well as VMs that are behind my primary OPNsense for testing purposes using the same types of rules to isolate networks without experiencing such issues.
@@homenetworkguy I think I found what the issue was: I'm using a local pi-hole, configured in opnsense, for dns, so it could not be resolved. By setting regular dns to that vlan I do have internet access. 👍👍
Ahh sounds good. Glad you got it sorted out. DNS is one of those things I try to keep simple to minimize issues on my network since it can always cause problems. Haha
You could- some users prefer zone based firewalls so they use only floating rules. However if you decide you want to block something on one of the interfaces, you can’t create it in the interface firewall rules section. You would have to put it in the floating rules above your other allow rules. I prefer to have the rules to isolate networks on each interface as well as any interface specific access on each interface. When I want to allow access on a specific interface (VLAN), it’s convenient to look at the interface rules instead of scrolling through a bunch of floating rules. I use firewall groups to reduce repetition of rules for interfaces which have a few rules that are the same. I like using floating rules when allowing network-wide access or blocks (such as allowing SSH access and iperf3 on the entire network).
Really love your videos. Need some help on FW Alias for NAS (SMB). How do you add the port 139, and 445 to an alias? Newbie question, just dont know where to input these port? Trying to write a rule to allow SMB traffic from one interface to another.
I'm glad you enjoy them! You would need to go to Firewall > Aliases. Click the "+" button. Enter a Name. Select Port(s) as the Type. Enter 139 and 445 in the Content. Click Save. Go to the source interface in OPNsense where you want a client to access a server on another interface on OPNsense and create a rule which uses the source interface net alias (or specific IPs). Enter the destination IP or network and chose the alias for the destination port and it should include both port numbers.
@@homenetworkguy Thank you! That did the trick. However I did end up having to use the Destination IP of the NAS appliance verses being able to use the interface name. (Example: NAS.address) So I think I may have a DNS issue as well. Using OpenDNS and UnboundDNS within the Opnsense FW. Still learning here. Not sure how or where to register a device name and IP etc.
I drove myself crazy trying to make rules to get my guest network not to talk to my lan and vice versa, but nothing worked except just creating a floating rule saying no data transfer from guest to lan in any direction and another floating rule allowing dns. I don't know if it's because I am only using a pc with one nic and a managed switch.
Perhaps you don’t have all of the VLAN configuration exactly right on OPNsense or the switch since you should be able to isolate networks as I have described whether the networks are VLANs or other networks on physical interfaces.
This video focuses on isolating networks. To isolate guests/clients within each network, you can use port isolation for wired devices and client isolation for wireless devices. In addition, for desktops/servers you can install a local firewall for further protection. Not all devices have the ability to install your own local firewall so the best you can do is use port isolation or client isolation for wired/wireless devices if you want isolation within each network.
I cannot ping my firewall even when directly plugged in. I have automatic rules created one which is blocking all my traffic called default / deny state violation rule
@homenetworkguy do you have suggestions on how to take my old router which is now acting as my ap? I want to have the guest wifi users get one vlan and the home ssid to get another vlan. I have a catalyst switch where the ap is plugged in. Everything is getting assigned the same vlan which is what the switch port is configured for. Do I need to have the port be a trunk port on the switch where the ap is ?
If your server is on another network and you have the networks isolated from each other, then you wouldn’t need an alias. If you are allowing the entire LAN access to your server on another network then you could create an alias with a block rule to deny access to your server.
@@Apollopayne25 if it’s on the same network then you will have to enable a firewall on your server and block the PCs on the server’s firewall. The router’s firewall won’t be able to block those PCs if they’re on the same network because networking was designed to allow communication between devices that are in the same network. Since no routing across networks is necessary, you can’t block the traffic via the firewall on your router (OPNsense, for example).
great video! although still having trouble blocking just 1 lan ip from internet. i have mini pc with opsense and 1 wan port and 1 lan port. then lan port of mini pc to switch. also have old router in bridge mode for wifi, plugged into switch. so im not sure if that has something to do with it. basically it ether blocks all lan traffic to internet or none... ive set these rules up in past on pfsense routers and dd-wrt router and never had much trouble. maybe you could shed some light on the subject?
If you want to block a single IP, you’ll need to make that device a static IP. The firewall rule should be set as a block rule and use that static IP as the source and destination should be any. The rule needs to be above the rule to allow access to the Internet (near the top of the list of rules). The order matters when creating rules.
You wouldn't be the first one with that issue if that is the case. I think some others are having trouble because they are doing some L3 routing on their switches with ACLs (although by default, I think most switches would not have such features enabled since the ACL needs to be configured to function as intended, I believe). I always assume that is not the case for most users so I forget to ask if there is any L3 switching going on with the switches being used on your network. If the switch is performing the routing, then OPNsense (and other routers/firewalls) will not see that traffic so it will not be able to have any firewall rules applied.
i ordered a usb to ethernet, to plug into opnsense and give another lan port. then ill plug the bridged wifi router into it. im hoping i can get mac address control at least on those devices. i have all devices in network staticly asigned dhcp. i know its overkill but i hope it helps in blocking what needs blocked. i eventually got rid of the allow any line. then created alise for 3 groups. wan-no= devices never gets wan. wan-yes= always needs wan. screentime=devices like firetv tablets cellphone. and created allow for those. this worked great. except it allowed devices on the lan to talk to each other, asuuming mac address level routing... so for example if i disable screentime rule. all those devices wont have internet, which is great. although my media center has emby serving the media so those local devices can still acess it. once i get usb etherent today, i need to find the proper way to make sure its part of the lan. and make sure it gets dhcp from opnsense like the lan port does. i tinkered with making a bridge before but not sure if its whats needed. also thought of doing vlans. not my strong suit btw. but from what i understand it would create another subnet for each vlan group. im not sure if that will work as well. since my suspicion is the switch will still bypass router and use switch to route by mac address..
One thing to keep in mind: devices on the same network can talk to each other and do not pass through the firewall. It’s how networks function. If you want restrict access within the same network you will need to install a local firewall on each device (server, PC, etc) but that’s not something you can really do with iPhones, iPads, media players for instance. You would need to put those devices on their own VLAN and restrict access between networks in OPNsense. Each VLAN is essentially its own subnet. You can control access via firewall rules.
Yeah I could. There’s not a lot to basic port forwarding but it gets more interesting if you want to use a reverse proxy and put Cloudflare in front of your services to help protect them better. Of course, you would want to lock stuff down as best you can if you’re leaving it open to the world. Most will recommend using a VPN to connect to your home network instead (I do that as well).
Yes. Instead of using the interface address alias for the DNS server, you would use the Pi-hole DNS server address if you are assigning the Pi-hole DNS server to all your clients via DHCP. If you are using Pi-hole upstream with Unbound DNS, the rules can be the same as this guide (because you would be using Unbound for the clients and then Unbound would be using Pi-hole as the upstream DNS server).
Sorry for the delay. Your comment got flagged as “held for review” and I don’t check for those very often because they are filtered out by default. The rules should still apply but you would probably need to use the IP address of your Pi-hole server instead of using the interface address depending how you have it set up on your network. As for not being able to ping your interfaces, you need to create a rule to allow ICMP on your networks. If you don’t have all protocols allowed with your rules you would have to create a separate rule to allow ICMP. If you want to allow it for your entire network you could create a floating rule so it can apply to all interfaces.
The “net” aliases refer to the entire network IP address range (such as 192.168.1.1/24) while the “address” aliases only refer to the interface IP address (such as 192.168.1.1).
Did you remove or disable the original allow all rule on the LAN interface? (only do that when you have other rules in place so you don’t block access)
@homenetworkguy I actually left the last rule even though I combined the allow all with the block access to private lan . I forgot to mention I have a new switch which is a 1930 hpe so it has routing capabilities. Apparently I set it up to use them which is why my devices work but my vlans seems to be communicating between each other. I can ping all vlan interfaces no matter which vlan I am in. The problem is when I disable the routing I can only get the assigned ip in the right vlan and can ping the vlan gateway but I cannot access the internet. Although I can also not ping pretty much anything except the vlan gateway
@@YellowstoneCommie ahh if you used the layer 3 routing options of your switch the traffic may not even travel to your firewall since the switch is handling the traffic. If you turn on the L3 routing and you can reach the Internet- assuming the traffic hits the firewall it sounds a bit like your firewall rules are not correct but I would have to see how they are configured. It’s tough to know for sure without knowing how everything is configured such as the fact you were using L3 routing features of the switch.
@homenetworkguy ok I think my plan is to first disable all routing on my layer 3 switch and then erase all learned routes and dynamic routing protocols. Then I will create a default route pointing to the firewall gateway. Then I think I can enable routing and all traffic will again be managed by our rules. I noticed when I turned off routing on the L3 switch, I could only communicate within my vlans but nowhere else. I found that odd but I had to table this for testing first
Great video, I couldn't work out why I could not write the IPs in the alias box, it was set to default as hosts not networks. After googling and checking I am writing the IPs correctly, I now feel rather stupid :)
Yes great. You wouldn’t know if a guide exists of how to connect to a proxy server on one LAN network. (Transparent forward proxy)? This was my main reason to isolate the network.
I have other guides which show some IPv6. For some of the rules when you are using build in firewall aliases or using “any” as a source/destination, you could likely just make the rule use both protocols IPv4 + IPv6 and it would cover both protocols at the same time in the same rule. I’ll try to include more IPv6 in the future but I personally don’t use it the same way as IPv4 because my ISP uses dynamic prefixes which is frustrating and complicates things when you want to use static IPs on your internal network (OPNsense does have dynamic IPv6 address aliases) but it doesn’t solve every problem.
Why is it garbage? Separating networks via VLANs/firewall rules is just one additional layer of projection against internal/external threats. You could just protect the edge of your network but if something gets past the edge firewall, practically all of the network security is defeated. The problem is not an easy one to solve completely and the original Internet and networks were not really designed with much security in mind.
Thank you for continuing making these videos. You will soon be the best OPNSense / Home Network source in the world!
Thanks so much for supporting me as well as the kind words! I appreciate it!
I just installed OPNsense on two Proxmox servers and got HA running. Now I wanted to get my WIFI router connected into OPNsense on a separate network so the Guest SSID only goes out to the internet. I found this video which is going to really help me get started plus help me learn about firewall rules which I'm really new at creating. Thanks you for investing the time to creat this video.
You’re welcome! I’m glad you’re finding the videos to be helpful in your learning!
Another great video with clear explanations. Watch it people until the very end ;)
Thanks! Haha. I thought I would show some bloopers where I had to troubleshoot while filming. Even though I’ve worked with OPNsense for a while, I still mess up!
@@homenetworkguy this is happening to me more than I'd expect as well.
Thank you !
You’re welcome! Thanks for the support! I appreciate it!
Great content , it’s important to separate networks ,so we can maintain the integrity of data
Thanks! Yeah definitely a good idea to do even on home networks to minimize the attack surface and the impact of exploits of vulnerabilities.
Man, relevant stuff. Thanks, DC!
Thanks! I have another firewall rule one coming up soon. Going to discuss floating rules, firewall group rules, and interface rules and when you may want to use each type (especially the first 2 types because there are subtle differences).
@@homenetworkguy if I could make a suggestion, maybe use the cicada theme? It's a dark theme and faster than the rebellion theme. Besides my retinas will thank you. 😎
Someone else mentioned that the dark theme gets more views so I think I'm going to have to switch to the dark side since dark mode is more preferred these days. I already started another video that's not in dark mode but I can change after that one.
He's nailing this stuff rock solid !
Awesome video! I think a good follow up video would be on plugins like mDNS Repeater and/or UDP Broadcast Relay to enable devices like smartphones to cast audio/video on IoT devices
Thanks! I have another firewall rule video coming up which I think will be helpful as well. I use MDNS on my network mostly to share my printer across networks so it can be discoverable. The plugin configuration is pretty simple but it has to be combined with firewall rules so there could be some usefulness of such a video.
I have noticed that the MDNS plugin in OPNsense doesn't work for all types of multicast traffic (perhaps it is hardcoded to only repeat certain multicast addresses and not others). Ideally I try to keep traffic which needs to communicate with protocols such as Bonjour/Ahavi on the same network to keep things simple. Fortunately most of those devices are IOT (or close enough to be IOT) devices so I don't mind them being on the same network anyway.
Ultimately, even though I want increased security on my network and do have some things locked down tighter, I also need my network to "just work". haha. If my network is so locked down that it's not usable, my end users (aka my family) will not be happy. I also don't want to spend too much time troubleshooting things when I could be doing other more constructive things like create content on UA-cam!
Thank you for the excellent video, it helped me solve a situation with a team. Continue uploading videos, you can also recommend what equipment to buy.
Nice! Glad you found it helpful. I do have some hardware related videos of some devices I’ve tried and tested. I’m going to be checking out some more Grandstream networking equipment within the next month or so, for example.
tysm, finally got my first vlan rules to work. had problem acessing internet but this video helped me alot to understand.
Glad the video helped you understand the firewall rules!
Really great video - thanks have used this to start segregating my network. I followed this video to the letter and if you apply the "Destination Invert / Private Networks onto your outband LAN rule then you prevent the LAN traffic from being able to see the guest traffic in both directions
Thanks! Glad you found it helpful. I’m not sure what you mean about applying the rule outbound on the LAN interface. Using the direction of “in” is sufficient because any traffic entering into the LAN interface can be blocked with “in” rules. If you block access to other networks with “in” direction rules (which is the default), you won’t have access to any of the traffic on other networks. Using the direction of “out” for rules is less efficient and should only be used in a few cases (such as blocking outbound WAN traffic). Not sure if you were referring to the direction of the rules but thought I would mention it.
@@homenetworkguy the default allow all rule on your LAN interface (which I called outbound) still allows you to send traffic from LAN to Guest. I applied your Destination Invert / Private Networks logic to this default rule to ensure both the LAN and guest a segmented. IE you can ping portscan from LAN to guest
Ohh I quickly glanced at my video. You’re saying I changed the GUEST network rules but not the LAN network rules so it has access to all local networks since it has an allow all rule? I was focused on just isolating a single network probably so I could demonstrate the different ways you can implement the rules. I definitely mess up in my videos. Haha. Unlike written content, I can’t go back and fix it without making another video.
Really helpful video. One thing I noticed is that you don´t have to put other rules between the two. The internet rule doesn´t block anything because the action is "Pass". So you can put other rules at the end if you want to.
Ohh yeah.. that’s a good point. I used to have the block all private IPs rule at the bottom instead of combining it into the “allow internet but block private IP” rule using the destination invert so it’s just a bad habit now to keep it at the bottom. I didn’t think about the fact the order doesn’t matter as much because of that fact. Thanks for pointing that out! Sometimes I need those details brought to my attention because my mind gets stuck on other thoughts, haha.
Allowing ping to just the gateway IP of the subnet that your machine is on is a good idea to allow you to verify that your device is indeed connected. If a machine is assigned an IP, the gateway has to be assigned anyways, so allowing ping to that IP is not giving away any information that is not already given. Highly useful if you are on wi-fi.
Allowing ping to other devices on the same network, or to other gateway IP's, or to other gateway devices is a choice that one would need to make... As it's possible to enable and disable rules quite easily, it's possible to create the allowed rule, and then enable those rules depending upon whether you are troubleshooting at the moment or not.
Yeah not a bad idea to allow it for the gateway IP at a minimum.
Very clear and practical example.
Thanks!
You are a life saver! Thank you so much for this excellent content.
Thanks! I’m happy to be of help!
Trying to Isolate my networks but its not working. I have Vlan 100 and Vlan 200. I am tryin gto prevent anything on VLAN100 to access anything on VLAN 200. I created a block rule from VLan 100 to VLAN 200 ....under VLAN100 interface (in rule) I followed your video but its not working.
Do you have your block rule above any other allow rules? The order of the rules is important. Make sure you leave the rule at the default direction of “in” even though it sounds like “out” is the appropriate option.
I am having the same issue. I followed your instructions exactly but can still freely ping between vlans
@@YellowstoneCommie I would probably have to see the rules to identify the issue. There are a couple of ways you can go about blocking traffic via firewall rules. Order matters as well as other firewall rule options.
Why do you still need the blocking rule since you already created the VLAN? isn't that is the function of VLAN to separate or so-called isolate out the network? I am confused now...🙂🙂🙂
@@jeffreyooi1971 when you create rules to allow traffic to other VLANs, the router will happily allow traffic between the networks. That is the job of a router. Firewall rules are needed to restrict or allow access between the networks. Soon as you create an ‘allow all traffic’ type of rule you will need to create a block rule to restrict access to other networks while allowing access to the Internet for example. You can achieve this different ways as I show in the video. VLANs operate at Layer 2 while routers are operating at Layer 3.
Exactly what I was looking for, thanks so much! Subbed👍
Thanks! I’m glad you found what you were looking for!
Thanks for the great content Dustin! I have a question about isolating network within the VMs in same Linux Bridge. If we use Proxmox VMs or containers in same Linux Bridge with same VLAN ID, they don't communicate with their gateway (OPNsense VLAN interface IP) when they need to connect each other. So the firewall rules are not applied for them if we want to block access between them. Is there any way to manage their internal network with the firewall rules while they're in same VLAN?
I would like to create isolated VMs without creating new VLAN + network configuration for each on OPNsense, if possible.
You are correct. Any device on the same network/VLAN will be able to communicate freely since that is how networks were designed to function. If you want to limit further access there are a couple of options:
1. Use a firewall on each host. For example on some Linux distributions such as Ubuntu, you can make use of ufw firewall to limit access by creating firewall rules on the system. I do this in addition to firewall rules on OPNsense to have multiple layers of security (defense in depth).
2. You can create VLANs inside VLANs. They are sometimes called private VLANs or Q-in-Q VLAN tunnels/stacking. I haven’t tried it but this would require additional switch and OPNsense configuration which is not what you’re looking for.
3. For physical clients on the network that are wired to your network switch, you can make use of port isolation which allows you to limit which ports a particular port isolation allowed to communicate with. You basically only allow the port of the client device to communicate with the trunk port connected to OPNsense which effectively means the device cannot communicate with other devices within the same network. The traffic is blocked at Layer 2 (I believe) by the network switch.
Awesome video brother!
Thanks! Appreciate it!
6:00 how is it different from bogons?
Bogons are public IP addresses that are reserved for special purposes and should not be used which is why they are blocked on the WAN interface by default.
To isolate networks on your internal networks, you only have to worry about the private IP address ranges (for IPv4).
Hello, this doesn't seem to work for me.
I got a opnsense running on proxmox mini pc with two ethernet, one for wan one for lan and all my vlan have lan as parent. When I set up those rules, I lose access to the internet.
Here is my topology:
FAI edge router -> opnsense wan -> opnsense lan -> L2 switch
-> VM in vlan tagged, that loose access to the internet.
My best guest is that it loose internet access because the lan is relaying that, and we juste cut that off. How would you go in scenario like this to seggregate the lan from the vlan without loosing internet access?
Hmm it’s hard to say without looking at the details of your config. I isolate VLANs on my main OPNsense box as well as VMs that are behind my primary OPNsense for testing purposes using the same types of rules to isolate networks without experiencing such issues.
@@homenetworkguy I think I found what the issue was: I'm using a local pi-hole, configured in opnsense, for dns, so it could not be resolved. By setting regular dns to that vlan I do have internet access. 👍👍
Ahh sounds good. Glad you got it sorted out. DNS is one of those things I try to keep simple to minimize issues on my network since it can always cause problems. Haha
Do these rules need to be applied to the LAN and WAN interface?? Thanks for this video really helped a lot!!
Only the LAN and other interfaces/VLANs. You do not need to do it for the WAN. Glad the video helped!
Hi Dustin,
was wondering if you plann to do a vlan isolated network with the new Kea DHCP? :D
Kea DHCP is on my todo list. haha
@@homenetworkguy awsome :D
Could these two rules be set as floating rules?
You could- some users prefer zone based firewalls so they use only floating rules. However if you decide you want to block something on one of the interfaces, you can’t create it in the interface firewall rules section. You would have to put it in the floating rules above your other allow rules.
I prefer to have the rules to isolate networks on each interface as well as any interface specific access on each interface. When I want to allow access on a specific interface (VLAN), it’s convenient to look at the interface rules instead of scrolling through a bunch of floating rules.
I use firewall groups to reduce repetition of rules for interfaces which have a few rules that are the same.
I like using floating rules when allowing network-wide access or blocks (such as allowing SSH access and iperf3 on the entire network).
Really love your videos. Need some help on FW Alias for NAS (SMB). How do you add the port 139, and 445 to an alias? Newbie question, just dont know where to input these port? Trying to write a rule to allow SMB traffic from one interface to another.
I'm glad you enjoy them! You would need to go to Firewall > Aliases. Click the "+" button. Enter a Name. Select Port(s) as the Type. Enter 139 and 445 in the Content. Click Save.
Go to the source interface in OPNsense where you want a client to access a server on another interface on OPNsense and create a rule which uses the source interface net alias (or specific IPs). Enter the destination IP or network and chose the alias for the destination port and it should include both port numbers.
@@homenetworkguy Thank you! That did the trick. However I did end up having to use the Destination IP of the NAS appliance verses being able to use the interface name. (Example: NAS.address) So I think I may have a DNS issue as well. Using OpenDNS and UnboundDNS within the Opnsense FW. Still learning here. Not sure how or where to register a device name and IP etc.
I drove myself crazy trying to make rules to get my guest network not to talk to my lan and vice versa, but nothing worked except just creating a floating rule saying no data transfer from guest to lan in any direction and another floating rule allowing dns. I don't know if it's because I am only using a pc with one nic and a managed switch.
Perhaps you don’t have all of the VLAN configuration exactly right on OPNsense or the switch since you should be able to isolate networks as I have described whether the networks are VLANs or other networks on physical interfaces.
Did you isolate each guest
This video focuses on isolating networks. To isolate guests/clients within each network, you can use port isolation for wired devices and client isolation for wireless devices. In addition, for desktops/servers you can install a local firewall for further protection. Not all devices have the ability to install your own local firewall so the best you can do is use port isolation or client isolation for wired/wireless devices if you want isolation within each network.
I cannot ping my firewall even when directly plugged in. I have automatic rules created one which is blocking all my traffic called default / deny state violation rule
ICMP protocol needs to be allowed on your network via firewall rules if you want to ping devices on other networks and the firewall interfaces.
@@homenetworkguy ok 👍 I went very slowly and practiced everything you said and now I am good
Thanks you for the help I feel much safer now that there is some separation of the attack surface
I’m glad you got it all sorted out!
@homenetworkguy do you have suggestions on how to take my old router which is now acting as my ap? I want to have the guest wifi users get one vlan and the home ssid to get another vlan. I have a catalyst switch where the ap is plugged in. Everything is getting assigned the same vlan which is what the switch port is configured for. Do I need to have the port be a trunk port on the switch where the ap is ?
Can you create an alias for certain single LAN ips ( eg. 2 computers that I don’t want them to have access to my server)
If your server is on another network and you have the networks isolated from each other, then you wouldn’t need an alias. If you are allowing the entire LAN access to your server on another network then you could create an alias with a block rule to deny access to your server.
@@homenetworkguy my server is on my same network. Just want to block my son computer to access it
@@Apollopayne25 if it’s on the same network then you will have to enable a firewall on your server and block the PCs on the server’s firewall. The router’s firewall won’t be able to block those PCs if they’re on the same network because networking was designed to allow communication between devices that are in the same network. Since no routing across networks is necessary, you can’t block the traffic via the firewall on your router (OPNsense, for example).
great video! although still having trouble blocking just 1 lan ip from internet. i have mini pc with opsense and 1 wan port and 1 lan port. then lan port of mini pc to switch. also have old router in bridge mode for wifi, plugged into switch. so im not sure if that has something to do with it.
basically it ether blocks all lan traffic to internet or none... ive set these rules up in past on pfsense routers and dd-wrt router and never had much trouble. maybe you could shed some light on the subject?
If you want to block a single IP, you’ll need to make that device a static IP. The firewall rule should be set as a block rule and use that static IP as the source and destination should be any. The rule needs to be above the rule to allow access to the Internet (near the top of the list of rules). The order matters when creating rules.
that didnt work. im thinking the switch is routing by mac and bypasses the routers acl.
You wouldn't be the first one with that issue if that is the case. I think some others are having trouble because they are doing some L3 routing on their switches with ACLs (although by default, I think most switches would not have such features enabled since the ACL needs to be configured to function as intended, I believe). I always assume that is not the case for most users so I forget to ask if there is any L3 switching going on with the switches being used on your network. If the switch is performing the routing, then OPNsense (and other routers/firewalls) will not see that traffic so it will not be able to have any firewall rules applied.
i ordered a usb to ethernet, to plug into opnsense and give another lan port. then ill plug the bridged wifi router into it. im hoping i can get mac address control at least on those devices. i have all devices in network staticly asigned dhcp. i know its overkill but i hope it helps in blocking what needs blocked. i eventually got rid of the allow any line. then created alise for 3 groups. wan-no= devices never gets wan. wan-yes= always needs wan. screentime=devices like firetv tablets cellphone. and created allow for those. this worked great. except it allowed devices on the lan to talk to each other, asuuming mac address level routing... so for example if i disable screentime rule. all those devices wont have internet, which is great. although my media center has emby serving the media so those local devices can still acess it.
once i get usb etherent today, i need to find the proper way to make sure its part of the lan. and make sure it gets dhcp from opnsense like the lan port does. i tinkered with making a bridge before but not sure if its whats needed.
also thought of doing vlans. not my strong suit btw. but from what i understand it would create another subnet for each vlan group. im not sure if that will work as well. since my suspicion is the switch will still bypass router and use switch to route by mac address..
One thing to keep in mind: devices on the same network can talk to each other and do not pass through the firewall. It’s how networks function. If you want restrict access within the same network you will need to install a local firewall on each device (server, PC, etc) but that’s not something you can really do with iPhones, iPads, media players for instance. You would need to put those devices on their own VLAN and restrict access between networks in OPNsense. Each VLAN is essentially its own subnet. You can control access via firewall rules.
very useful, thanks
Glad you found it useful!
Awesome video. Can you please make a video about port forwarding for self hosted app?
Yeah I could. There’s not a lot to basic port forwarding but it gets more interesting if you want to use a reverse proxy and put Cloudflare in front of your services to help protect them better. Of course, you would want to lock stuff down as best you can if you’re leaving it open to the world. Most will recommend using a VPN to connect to your home network instead (I do that as well).
Would this guide for rules still apply with pihole as dns server ?
Yes. Instead of using the interface address alias for the DNS server, you would use the Pi-hole DNS server address if you are assigning the Pi-hole DNS server to all your clients via DHCP. If you are using Pi-hole upstream with Unbound DNS, the rules can be the same as this guide (because you would be using Unbound for the clients and then Unbound would be using Pi-hole as the upstream DNS server).
Sorry for the delay. Your comment got flagged as “held for review” and I don’t check for those very often because they are filtered out by default. The rules should still apply but you would probably need to use the IP address of your Pi-hole server instead of using the interface address depending how you have it set up on your network.
As for not being able to ping your interfaces, you need to create a rule to allow ICMP on your networks. If you don’t have all protocols allowed with your rules you would have to create a separate rule to allow ICMP. If you want to allow it for your entire network you could create a floating rule so it can apply to all interfaces.
Btw I never understood why sometimes on Source/Destiny fields on rules we go "NET_NAME Net" and sometimes "NET_NAME Addresses".
The “net” aliases refer to the entire network IP address range (such as 192.168.1.1/24) while the “address” aliases only refer to the interface IP address (such as 192.168.1.1).
@@homenetworkguy 👌 Now it makes more sense :-)
Thank you!
Great video
Thanks!
I applied the rules for each of my vlans but i noticed i can still ping from one vlan to another
Did you remove or disable the original allow all rule on the LAN interface? (only do that when you have other rules in place so you don’t block access)
@homenetworkguy I actually left the last rule even though I combined the allow all with the block access to private lan . I forgot to mention I have a new switch which is a 1930 hpe so it has routing capabilities. Apparently I set it up to use them which is why my devices work but my vlans seems to be communicating between each other. I can ping all vlan interfaces no matter which vlan I am in. The problem is when I disable the routing I can only get the assigned ip in the right vlan and can ping the vlan gateway but I cannot access the internet. Although I can also not ping pretty much anything except the vlan gateway
@@YellowstoneCommie ahh if you used the layer 3 routing options of your switch the traffic may not even travel to your firewall since the switch is handling the traffic. If you turn on the L3 routing and you can reach the Internet- assuming the traffic hits the firewall it sounds a bit like your firewall rules are not correct but I would have to see how they are configured. It’s tough to know for sure without knowing how everything is configured such as the fact you were using L3 routing features of the switch.
@homenetworkguy ok I think my plan is to first disable all routing on my layer 3 switch and then erase all learned routes and dynamic routing protocols. Then I will create a default route pointing to the firewall gateway. Then I think I can enable routing and all traffic will again be managed by our rules. I noticed when I turned off routing on the L3 switch, I could only communicate within my vlans but nowhere else. I found that odd but I had to table this for testing first
Ok i figures out what you meant with the allow all rule
That’s great!
Great video, I couldn't work out why I could not write the IPs in the alias box, it was set to default as hosts not networks. After googling and checking I am writing the IPs correctly, I now feel rather stupid :)
Thanks. Glad it was helpful!
Yes great. You wouldn’t know if a guide exists of how to connect to a proxy server on one LAN network. (Transparent forward proxy)? This was my main reason to isolate the network.
All well and good for IPv4, bur ignoring IPv6 in 2023/2024 is insane
I have other guides which show some IPv6. For some of the rules when you are using build in firewall aliases or using “any” as a source/destination, you could likely just make the rule use both protocols IPv4 + IPv6 and it would cover both protocols at the same time in the same rule.
I’ll try to include more IPv6 in the future but I personally don’t use it the same way as IPv4 because my ISP uses dynamic prefixes which is frustrating and complicates things when you want to use static IPs on your internal network (OPNsense does have dynamic IPv6 address aliases) but it doesn’t solve every problem.
Wicked idea !!
Thanks!
I usually create the RFC1918 rule. @@homenetworkguy
I'm amazed that in 2024 this stuff is still complete garbage in regard to management... It's no wonder there are so many network issues to this day.
Why is it garbage? Separating networks via VLANs/firewall rules is just one additional layer of projection against internal/external threats. You could just protect the edge of your network but if something gets past the edge firewall, practically all of the network security is defeated. The problem is not an easy one to solve completely and the original Internet and networks were not really designed with much security in mind.