Enhancing Network Security with OPNsense: Isolating Subnets with Firewall Rules

by

What’s New Andrew

Managing the flow of traffic between different subnets in your network is crucial to ensure security. By isolating networks and ensuring that communication is only allowed where explicitly permitted, you can create a more secure environment. In this video, we’ll explore how to use OPNsense, an open-source firewall and routing platform, to create firewall rules that block access to specific networks while allowing access to everything else (essentially the internet). This method can help enforce a zero-trust model where networks within your infrastructure cannot communicate unless explicitly allowed.

By configuring these rules, you’ll ensure that your networks are isolated. Devices in one subnet won’t be able to communicate with devices in another unless you add specific pass rules, thereby creating a zero-trust model for your network.

Network Categories and Their Purpose: To achieve isolation, we’ll begin by understanding the different address categories that we might want to block or control in OPNsense. Below is a breakdown of address types, their uses, and why you might want to block them within your network. You can keep or remove what makes sense for you.

Private Network Addresses:

These are reserved address ranges used for internal networks. They are not routable on the public internet and are often used for internal devices.

  • 10.0.0.0/8: Large internal networks.
  • 172.16.0.0/12: Medium-sized internal networks.
  • 192.168.0.0/16: Common in home and office networks.

Link-local Addresses:

These addresses are used for communication between devices on the same local network segment and are not routable beyond the local network.

  • 169.254.0.0/16: Used for automatic IP addressing when no DHCP server is available.
  • fe80::/10: IPv6 link-local addresses for local communication.

Multicast Address:

Multicast addresses are used to send data to multiple recipients simultaneously. These are useful in applications like streaming and conferencing.

  • 224.0.0.0/4: Used for multicast communication.

Carrier-Grade NAT (CGNAT) Address:

This address range is used by ISPs for large-scale network address translation, typically allowing multiple customers to share one public IP.

  • 100.64.0.0/10: Used in carrier networks for CGNAT.

Reserved Address Ranges:

These ranges are reserved for specific purposes such as default routes or future use and are not used for general communication.

  • 0.0.0.0/8: Represents an unspecified or default route address.
  • 240.0.0.0/4: Reserved for future use.

Unique Local Address (ULA):

ULA addresses are used within private networks, similar to IPv4 private addresses. They are not routable on the public internet.

  • fd00::/8: Reserved for internal use with IPv6.

List of Networks to Block:

Here is a list of the networks that were used in the video. You can copy these for use in your alias:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
100.64.0.0/10
224.0.0.0/4
0.0.0.0/8
240.0.0.0/4
fd00::/8
fe80::/10