OPNsense/PFsense firewall rule to allow LAN access to VLAN

[Boyd911]

Hi there,

I’m using OPNsense as a firewall and VLAN. But I’d like to access (SSH mainly) the VMs at the VLAN from my LAN, but every firewall rule I make on the VLAN seems to block the LAN. Ping or SSH from LAN results in a time-out.
What am i doing wrong?

Firewall rules VLAN below:

Pic1: I’ve allowed VLAN (192.168.20.1) internet access and access to LAN (182.168.2.1) is blocked. And tried to give LAN access to anything on VLAN
Pic2: From LAN everything is allowed.

Below a ping to google which works, but a ping to VLAN doesn’t work.

 

[Spoonman2002]

- firewall > rules > LAN :
Action Pass, protocol ipv4 tcp, source LAN net, Port Any, Destination VLAN20, Port 22

- firewall > rules > VLAN20:
VLAN20 does not need opening of SSH port.
I would suggest:
Delete/disable first firewall rule because it makes no sense.
Change your second firewall rule from "Source *" to "Source VLAN20".
So it reads : Block VLAN20 to LAN

The idea behind it is : think from the interface itself and where you want to create access to.
And make sure the "Pass" rule(s) are on top in your list, not at the bottom.

 

[Spoonman2002]

ping access from LAN net to VLAN20 :

- firewall > rules > LAN :
Action Pass, protocol ipv4 ICMP, source LAN net, Port Any, Destination VLAN20, Port Any

 

[HLPCLC]

Make sure your managed switch is grouping your LAN (VLAN 1) and VLAN together, or put your VLAN on the same PVID as your LAN.

Edit: This can honestly be as confusing or more confusing than the firewall rules. Yours seem to be great. Your allow all rule should work by default on both ends. Your managed switching is probably the cause of the issues.

Edit 2: This can become even more complicated if you are using both VLANs in Proxmox and an actual managed switch

 

[Spoonman2002]

Make sure your managed switch is grouping your LAN (VLAN 1) and VLAN together, or put your VLAN on the same PVID as your LAN.

Edit: This can honestly be as confusing or more confusing than the firewall rules. Yours seem to be great. Your allow all rule should work by default on both ends. Your managed switching is probably the cause of the issues.

Edit 2: This can become even more complicated if you are using both VLANs in Proxmox and an actual managed switch

He has no managed switch.
Just an ISP modem and 2 pve hosts.
On one pve host he has OPNsense running as a router/firewall.

 

[Boyd911]

@Spoonman2002 I’ve changed the rules but still both ping and ssh won’t work. Ping timeout.

 

[Spoonman2002]

@Spoonman2002 I’ve changed the rules but still both ping and ssh won’t work. Ping timeout.
View attachment 50866

View attachment 50865

What are you trying to ssh and ping in vlan20?
Is it a Linux vm? If so make sure PermitRootLogin = yes
(/etc/ssh/sshd_config).
And disable any firewall rule that blocks ping/ssh access.

 

[Boyd911]

yes, it’s an ubuntu linux container.

I’ve set PermitRootLogin to yes but I can’t get in from LAN. VLAN to VLAN works.

With you last remark do you mean in the ISP modem?

 

[Spoonman2002]

yes, it’s an ubuntu linux container.

I’ve set PermitRootLogin to yes but I can’t get in from LAN. VLAN to VLAN works.

With you last remark do you mean in the ISP modem?

Not in your modem but in the ubuntu vm. Although I think ubuntu has no default firewall active out of the box like Debian.

 

[Spoonman2002]

"VLAN to VLAN works."

- if you mean VLAN10 to VLAN20 can "see" each other, is not the concept of vlans.
They should be completely isolated/firewalled.

 

[Boyd911]

Sorry, I was unclear. I meant VM11 on VLAN20 to other VM12 on VLAN20. See below Diagram.

 

[Boyd911]

Not in your modem but in the ubuntu vm. Although I think ubuntu has no default firewall active out of the box like Debian.

VM IP, GW & DNS

 

[Boyd911]

My VLAN was connected to WAN interface, changed this LAN. See settings.

But now my VMs don’t get an IP from VLAN DHCP. What am i missing here?