Configuring an OPT interface as an additional LAN

Note

By default the Netgate 2100 is not configured with OPT interfaces. To reconfigure one or more of the LAN switch ports as an OPT interface, see Switch Overview.

This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more.

Requirements

  • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).

  • Choose a new local subnet to use for the additional LAN type interface. This example uses 192.168.2.0/24.

Assign the Interface

The first step is to assign an OPT interface.

  • Navigate to Interfaces > Assignments

    Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.

  • Pick an available interface in Available network ports

    If there are no available interfaces, then one may need to be setup in some other way (e.g. VLANs).

  • Click fa-plus Add

The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so on.

Note

As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx.

The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.

Interface Configuration

The new interface must be enabled and configured.

  • Navigate to Interfaces > OPTx

  • Check Enable interface

  • Set custom name in the Description, e.g. GUESTS, DMZ, etc.

  • Set the IP address and CIDR mask for the new LAN

    For this example, 192.168.2.1/24.

  • Do not add or choose a gateway

  • Uncheck Block private networks

    This interface is a private network, this option would prevent it from functioning.

  • Uncheck Block bogon networks

    The rules on this interface should only allow traffic from the subnet on the interface, making this option unnecessary.

  • Click Save

  • Click Apply Changes

The lack of a selected gateway in the interface configuration causes the firewall to treat the interface as a LAN type interface.

The firewall uses LAN type interfaces as sources of outbound NAT traffic but does not apply outbound NAT on traffic exiting a LAN. The firewall does not add any extra properties on firewall rules to influence traffic behavior. The DNS Resolver will accept queries from clients on LAN type interfaces.

DHCP Server

Next, configure DHCP service for this local interface. This is a convenient and easy way assign addresses for clients on the interface, but is optional if clients will be statically addressed instead.

  • Navigate to Services > DHCP Server, OPTx tab (Or the custom name)

  • Check Enable

  • Configure the Range, e.g. from 192.168.2.100 to 192.168.2.199

    This sets the lower (From) and upper (To) bound of automatic addresses assigned to clients.

  • The rest can be left at defaults

  • Click Save

Outbound NAT

For clients on this interface to get to the Internet from private addresses, the firewall must apply Outbound NAT for the new subnet.

  • Navigate to Firewall > NAT, Outbound tab

  • Check the current outbound NAT mode

If the mode is set to Automatic or Hybrid, then this may not need further configuration. Ensure the new LAN subnet is listed as a Source in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules.

If the mode is set to Manual, create a new rule or set of rules to cover the new subnet.

  • Click button_add_top to add a new rule at the top of the list

  • Configure the rule as follows:

    Interface:

    Choose the WAN interface. If there is more than one WAN interface, add separate rules for each WAN interface.

    Address Family:

    IPv4

    Protocol:

    Any

    Source:

    Network, and fill in the new LAN subnet, e.g. 192.168.2.0/24.

    Destination:

    Any

    Translation Address:

    Interface Address

    Description:

    Text describing the rule, e.g. Guest LAN outbound on WAN

  • Click Save

  • Click Apply Changes

Alternately, clone existing NAT rules and adjust as needed to match the new LAN.

Firewall Rules

By default there are no rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the LAN clients will need to contact hosts through the firewall.

Rules for this interface can be found under Firewall > Rules, on the OPTx tab (or the custom name, e.g. GUESTS).

There are two common scenarios administrators typically choose for local interfaces: Open and Isolated

Open

On an open LAN, hosts in that LAN are free to contact any other host through the firewall. This might be a host on the Internet, across a VPN, or on another local LAN.

In this case a simple “allow all” style rule for the interface will suffice.

  • Navigate to Firewall > Rules, on the OPTx tab (or the custom name)

  • Click button_add_top to add a new rule at the top of the list

  • Configure the rule as follows:

    Action:

    Pass

    Interface:

    OPTx (or the custom name) should already be set by default

    Protocol:

    Any

    Source:

    OPTx Net (or the custom name)

    Destination:

    Any

    Description:

    Text describing the rule, e.g. Default allow all from OTPx

  • Click Save

  • Click Apply Changes

  • Add rule to pass any protocol from interface net to any destination

Isolated

In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more complicated rules.

This scenario is common for locked down networks such as for IOT devices, a DMZ with public services, untrusted Guest/BYOD networks, and other similar scenarios.

Warning

Do not rely on tricks such as using policy routing to isolate clients. A full set of reject rules as described in this example are the best practice.

Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all of the RFC1918 networks is a safer practice

  • Navigate to Firewall > Aliases

  • Click fa-plus Add

  • Configure it as follows:

    Name:

    PrivateNets

    Description:

    Private Networks

    Type:

    Network(s)

  • Add entries for:

    • 192.168.0.0/16

    • 172.16.0.0/12

    • 10.0.0.0/8

  • Click Save

  • Navigate to Firewall > Rules, on the OPTx tab (or the custom name)

Add rule to pass DNS to firewall (or other DNS servers)

  • Click button_add_end to add a new rule at the bottom of the list.

  • Configure the rule as follows:

    Action:

    Pass

    Interface:

    OPTx (or the custom name)

    Protocol:

    TCP/UDP

    Source:

    OPTx Net (or the custom name)

    Destination:

    This Firewall (self)

    If clients are to use DNS servers other than the firewall, use those as the destination instead.

    Destination Port Range:

    DNS, or choose Other and enter 53

    To allow DNS over TLS as well, add another rule for DNS over TLS or port 853.

    Description:

    Text describing the rule, e.g. Allow clients to resolve DNS through the firewall

  • Click Save

Add rule to pass ICMP to firewall

  • Click button_add_end to add a new rule at the bottom of the list.

  • Configure the rule as follows:

    Action:

    Pass

    Interface:

    OPTx (or the custom name)

    Protocol:

    ICMP

    ICMP Subtype:

    Any is OK in this case, ICMP is useful but some people prefer to limit to Echo Request only to allow ping and nothing else.

    Source:

    OPTx Net (or the custom name)

    Destination:

    This Firewall (self)

    Description:

    Allow client ICMP to the firewall

  • Click Save

Add rule to reject any other traffic to firewall

  • Click button_add_end to add a new rule at the bottom of the list.

  • Configure the rule as follows:

    Action:

    Reject

    Interface:

    OPTx (or the custom name)

    Protocol:

    Any

    Source:

    Any

    Destination:

    This Firewall (self)

    Description:

    Reject all other traffic to the firewall

  • Click Save

Add rule to reject traffic from this network to private networks

  • Click button_add_end to add a new rule at the bottom of the list.

  • Configure the rule as follows:

    Action:

    Reject

    Interface:

    OPTx (or the custom name)

    Protocol:

    Any

    Source:

    Any

    Destination:

    Single Host or Alias, PrivateNets (the alias created earlier)

    Description:

    Reject all other traffic to private networks

  • Click Save

Add rule to pass from this interface network to any destination:

  • Click button_add_end to add a new rule at the bottom of the list.

  • Configure the rule as follows:

    Action:

    Pass

    Interface:

    OPTx (or the custom name)

    Protocol:

    Any

    Source:

    OPTx Net (or the custom name)

    Destination:

    Any

    Description:

    Default allow all from OTPx

  • Click Save

With the rules all in place, now click Apply Changes to finish and activate the new rules.

After the configuration, the rules should look like the following figure:

../_images/opt-lan-isolated-rules.png

Example firewall rules for isolated LAN type segment

Tip

Rule separators are useful for documenting a ruleset in place.

Similar to the isolated network, it’s also possible to be much more strict with rules to only allow specific outbound ports. When creating this type of configuration,

Other Services

In most cases the above configuration is sufficient and clients on the new LAN can now obtain an address and get out to the Internet. However, there may be other custom settings which need accounted for when adding a new local interface:

  • If the DNS resolver has specific interface bindings, add the new interface to the list.

  • If using ALTQ traffic shaping, re-run the shaper wizard to include this new LAN type interface.

  • Consider using captive portal to control access the interface