OPNsense Isolation Rules for IoT and Guest VLANs

Lock down untrusted networks while preserving DNS and internet access.

Tools Used

Steps Taken

  1. Opened Firewall → Rules for the IoT and Guest VLAN interfaces.
  2. Created rules to:
    • Block access to RFC1918 address ranges from IoT and Guest.
    • Allow DNS from IoT and Guest to the OPNsense firewall.
    • Allow outbound internet access for IoT and Guest networks.
  3. Enabled logging for blocked inter-VLAN attempts.
  4. Applied changes and verified rule order for each interface.
  5. Validated that IoT and Guest could not reach any internal subnets.
  6. Confirmed that DNS and internet connectivity still worked for both VLANs.
  7. Generated and reviewed firewall logs showing blocked inter-VLAN attempts.

Screenshot: IoT VLAN Firewall Rules

Firewall rules for IoT VLAN
Click to view full-size: IoT VLAN allowed DNS and internet, blocked from all RFC1918 internal networks.

Screenshot: Guest VLAN Firewall Rules

Firewall rules for Guest VLAN
Click to view full-size: Guest VLAN isolated from internal networks with DNS and internet access only.

Screenshot: Blocked Traffic Logs

Firewall logs showing blocked IoT and Guest traffic to internal networks
Click to view full-size: Logged attempts from IoT and Guest to internal RFC1918 subnets being blocked.

Screenshot: DNS and Internet Tests

Diagnostics showing working DNS and internet for IoT and Guest VLANs
Click to view full-size: Successful DNS lookups and internet pings from IoT and Guest VLANs.

Outcome

This lab enforces strict isolation for untrusted IoT and Guest networks. Both VLANs are prevented from reaching any internal RFC1918 subnets while still retaining DNS resolution and outbound internet access. Firewall logs confirm that inter-VLAN attempts from these networks are blocked and recorded, providing both security and visibility. The result is a hardened edge where untrusted devices can operate without exposing critical internal services or management networks.