How to configure a guest VLAN in Opnsense

VLANs are commonly used to achieve network segregation. As part of implementing VLANs in Opnsense, it's necessary to configure firewall rules appropriately.

The desired setup for a guest wifi network (for example), is that guests can access the internet, but are blocked from accessing other VLANs.

Apparently inter-VLAN traffic is blocked out of the box -- nice! So all that remains is to configure firewall rules for internet access.

Only two rules are necessary:

1. Permit subnet to access DNS (port 53)
2. Permit subnet to access non-public IPs

For convenience, an alias for local IPs can be set in Firewall > Aliases.