Configuring an OPT interface as an additional LAN¶

Note

By default the Netgate 2100 is not configured with OPT interfaces. To reconfigure one or more of the LAN switch ports as an OPT interface, see Switch Overview.

This guide configures an OPT port as an additional LAN type interface. These local interfaces can perform a variety of tasks, such as being a guest network, DMZ, IOT isolation, wireless segment, lab network, and more.

Configuring an additional LAN

Requirements
Assign the Interface
Interface Configuration
DHCP Server
Outbound NAT
Firewall Rules
- Open
- Isolated
Other Services

Requirements ¶

This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).
Choose a new local subnet to use for the additional LAN type interface. This example uses 192.168.2.0/24.

Assign the Interface ¶

The first step is to assign an OPT interface.

Navigate to Interfaces > Assignments

Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.
Pick an available interface in Available network ports

If there are no available interfaces, then one may need to be setup in some other way (e.g. VLANs).
Click Add

The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so on.

Note

As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx.

The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.

Interface Configuration ¶

The new interface must be enabled and configured.

Navigate to Interfaces > OPTx
Check Enable interface
Set custom name in the Description, e.g. GUESTS, DMZ, etc.
Set the IP address and CIDR mask for the new LAN

For this example, 192.168.2.1/24.
Do not add or choose a gateway
Uncheck Block private networks

This interface is a private network, this option would prevent it from functioning.
Uncheck Block bogon networks

The rules on this interface should only allow traffic from the subnet on the interface, making this option unnecessary.
Click Save
Click Apply Changes

The lack of a selected gateway in the interface configuration causes the firewall to treat the interface as a LAN type interface.

The firewall uses LAN type interfaces as sources of outbound NAT traffic but does not apply outbound NAT on traffic exiting a LAN. The firewall does not add any extra properties on firewall rules to influence traffic behavior. The DNS Resolver will accept queries from clients on LAN type interfaces.

DHCP Server ¶

Next, configure DHCP service for this local interface. This is a convenient and easy way assign addresses for clients on the interface, but is optional if clients will be statically addressed instead.

Navigate to Services > DHCP Server, OPTx tab (Or the custom name)
Check Enable
Configure the Range, e.g. from 192.168.2.100 to 192.168.2.199

This sets the lower (From) and upper (To) bound of automatic addresses assigned to clients.
The rest can be left at defaults
Click Save

Outbound NAT ¶

For clients on this interface to get to the Internet from private addresses, the firewall must apply Outbound NAT for the new subnet.

Navigate to Firewall > NAT, Outbound tab
Check the current outbound NAT mode

If the mode is set to Automatic or Hybrid, then this may not need further configuration. Ensure the new LAN subnet is listed as a Source in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules.

If the mode is set to Manual, create a new rule or set of rules to cover the new subnet.

Click to add a new rule at the top of the list
Configure the rule as follows:

Interface

Choose the WAN interface. If there is more than one WAN interface, add separate rules for each WAN interface.

Address Family

IPv4

Protocol

Any

Source

Network, and fill in the new LAN subnet, e.g. 192.168.2.0/24.

Destination

Any

Translation Address

Interface Address

Description

Text describing the rule, e.g. Guest LAN outbound on WAN
Click Save
Click Apply Changes

Alternately, clone existing NAT rules and adjust as needed to match the new LAN.

Firewall Rules ¶

By default there are no rules on the new interface, so the firewall will block all traffic. This is not ideal for a LAN as generally speaking, the LAN clients will need to contact hosts through the firewall.

Rules for this interface can be found under Firewall > Rules, on the OPTx tab (or the custom name, e.g. GUESTS).

There are two common scenarios administrators typically choose for local interfaces: Open and Isolated

Open ¶

On an open LAN, hosts in that LAN are free to contact any other host through the firewall. This might be a host on the Internet, across a VPN, or on another local LAN.

In this case a simple “allow all” style rule for the interface will suffice.

Navigate to Firewall > Rules, on the OPTx tab (or the custom name)
Click to add a new rule at the top of the list
Configure the rule as follows:

Action

Pass

Interface

OPTx (or the custom name) should already be set by default

Protocol

Any

Source

OPTx Net (or the custom name)

Destination

Any

Description

Text describing the rule, e.g. Default allow all from OTPx
Click Save
Click Apply Changes
Add rule to pass any protocol from interface net to any destination

Isolated ¶

In an isolated local network, hosts on the network cannot contact hosts on other networks unless explicitly allowed in the rules. Hosts can still contact the Internet as needed in this example, but that can also be restricted by more complicated rules.

This scenario is common for locked down networks such as for IOT devices, a DMZ with public services, untrusted Guest/BYOD networks, and other similar scenarios.

Warning

Do not rely on tricks such as using policy routing to isolate clients. A full set of reject rules as described in this example are the best practice.

Create RFC1918 alias or alias containing at least the local/private networks on this firewall, such as VPNs. Using all of the RFC1918 networks is a safer practice

Navigate to Firewall > Aliases
Click Add
Configure it as follows:

Name

PrivateNets

Description

Private Networks

Type

Network(s)
Add entries for:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
Click Save
Navigate to Firewall > Rules, on the OPTx tab (or the custom name)

Add rule to pass DNS to firewall (or other DNS servers)

Click to add a new rule at the bottom of the list.
Configure the rule as follows:

Action

Pass

Interface

OPTx (or the custom name)

Protocol

TCP/UDP

Source

OPTx Net (or the custom name)

Destination

This Firewall (self)

If clients are to use DNS servers other than the firewall, use those as the destination instead.

Destination Port Range

DNS, or choose Other and enter 53

To allow DNS over TLS as well, add another rule for DNS over TLS or port 853.

Description

Text describing the rule, e.g. Allow clients to resolve DNS through the firewall
Click Save

Add rule to pass ICMP to firewall

Click to add a new rule at the bottom of the list.
Configure the rule as follows:

Action

Pass

Interface

OPTx (or the custom name)

Protocol

ICMP

ICMP Subtype

Any is OK in this case, ICMP is useful but some people prefer to limit to Echo Request only to allow ping and nothing else.

Source

OPTx Net (or the custom name)

Destination

This Firewall (self)

Description

Allow client ICMP to the firewall
Click Save

Add rule to reject any other traffic to firewall

Click to add a new rule at the bottom of the list.
Configure the rule as follows:

Action

Reject

Interface

OPTx (or the custom name)

Protocol

Any

Source

Any

Destination

This Firewall (self)

Description

Reject all other traffic to the firewall
Click Save

Add rule to reject traffic from this network to private networks

Click to add a new rule at the bottom of the list.
Configure the rule as follows:

Action

Reject

Interface

OPTx (or the custom name)

Protocol

Any

Source

Any

Destination

Single Host or Alias, PrivateNets (the alias created earlier)

Description

Reject all other traffic to private networks
Click Save

Add rule to pass from this interface network to any destination:

Click to add a new rule at the bottom of the list.
Configure the rule as follows:

Action

Pass

Interface

OPTx (or the custom name)

Protocol

Any

Source

OPTx Net (or the custom name)

Destination

Any

Description

Default allow all from OTPx
Click Save

With the rules all in place, now click Apply Changes to finish and activate the new rules.

After the configuration, the rules should look like the following figure:

Example firewall rules for isolated LAN type segment¶

Tip

Rule separators are useful for documenting a ruleset in place.

Similar to the isolated network, it’s also possible to be much more strict with rules to only allow specific outbound ports. When creating this type of configuration,

Other Services ¶

In most cases the above configuration is sufficient and clients on the new LAN can now obtain an address and get out to the Internet. However, there may be other custom settings which need accounted for when adding a new local interface:

If the DNS resolver has specific interface bindings, add the new interface to the list.
If using ALTQ traffic shaping, re-run the shaper wizard to include this new LAN type interface.
Consider using captive portal to control access the interface