@viragomann said in Blocking effectively the firewall access from VLAN:
@jt40 said in Blocking effectively the firewall access from VLAN:
Regarding the DNS, you're right, but it doesn't use the port 853, I'm not sure why...
You will configure the clients to use DoT. However, I can't see the need to use it within your local network.
It probably makes sense for DNS requests going out to the internet.
If you really want to use DoT on the DNS Resolver, you need to provide an SSL certificate, which the clients are trusting.
Unfortunately the 4th rule is necessary, the traffic doesn't pass, by default it blocks everything.
Can't imagine that it makes any difference if both rules have "This firewall" as destination set, as you stated above.
Anyway, I found the way to block the internal IP addresses: https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html
This only blocks private traffic to IPs from going out to WAN. This would be the case if you request an IP that isn't part of any of pfSense networks.
But it doesn't block access to other internal networks.
I need the traffic to pass through that Router/Gateway.
I'm not sure how to set this rule...
I mentioned above already, how this could be done using an RFC1918 alias.
Looks like this on my pfSense:
ba9bec57-af97-4f80-b4a4-5b71d392abc3-grafik.png
To allow access to your modem, you need to add an additional pass rule above of this.
I didn't enable the DNS forwarder, so only PFsense can resolve domains.
In the setup of DNS over TLS I see the option for the certificate, it's set by default and it's the default one from PFSense, but it doesn't work with that port&protocol, even if I set up only DNS over TLS.
It seems not listening on that port at all, just looking at the answer of "dig".
I need to make a correction, the 4th rule now is this:
ACCEPT ALL from_this_VLAN | with ANY protocol | TO RFC1918 (inverse rule) | port 443 (HTTPS)
It allows internet traffic on port 443 with HTTPS.
Thank you, I followed your suggestion to use only that alias to make it easy (inverse or not), but it's also the correct way to do it.
In future, I'll try to automate everything with floating rules, I have something like 15 VLANs.