OPNsense Inter-VLAN Communication Rules

Define and validate intentional cross-VLAN access based on business logic and segmentation policy.

Tools Used

OPNsense Firewall
Web GUI access
Configured VLANs from previous labs
Client devices for validation tests
Browser + screenshot tool

Steps Taken

Opened Firewall → Rules for each VLAN interface.
Created allow rules for:
- Workstations → Servers
- Management → All VLANs
- Servers → APInfra
Ensured each interface ends with a block-all rule with logging enabled.
Applied changes and verified rule order.
Validated allowed paths using ping and service tests.
Generated intentional blocked traffic to confirm segmentation enforcement.

Screenshot: Workstations VLAN Rules

Firewall rules for Workstations VLAN — Click to view full-size: Workstations VLAN allowed to reach Servers only.

Screenshot: Management VLAN Rules

Firewall rules for Management VLAN — Click to view full-size: Management VLAN allowed to reach all VLANs.

Screenshot: Servers VLAN Rules

Firewall rules for Servers VLAN — Click to view full-size: Servers VLAN allowed to reach APInfra only.

Screenshot: Allowed Communication Tests

Ping and connectivity tests for allowed paths — Click to view full-size: Successful pings for allowed inter-VLAN communication.

Screenshot: Blocked Traffic Logs

Firewall logs showing blocked inter-VLAN traffic — Click to view full-size: Blocked attempts between disallowed VLANs.

Outcome

This lab establishes intentional, policy-driven inter-VLAN communication. Workstations can reach servers, management can reach all VLANs, and servers can reach APInfra. All other cross-VLAN traffic is explicitly blocked and logged. Validation confirmed that allowed paths function correctly while unauthorized attempts are denied and visible in the firewall logs. This enforces a clean, business-aligned segmentation model.