Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Searching for the fastest way to isolate each VLANs using pfSense firewall rules

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 6 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heper @mauro.tridici
      last edited by

      @mauro-tridici just create an alias containing all your vlan-subnets. Block them all with a single rule.

      If you need access to the pfsense device don't forget to add a rule on TOP to allow such access.

      M 1 Reply Last reply Reply Quote 1
      • J
        Jarhead @mauro.tridici
        last edited by

        @mauro-tridici said in Searching for the fastest way to isolate each VLANs using pfSense firewall rules:

        So, at the moment, since no particular rules have been defined, each VLANs hosts can reach each other.

        Are you saying each host can access other hosts on the same vlan or other vlans?
        With no rules applied all should be blocked except for the LAN interface.

        M 1 Reply Last reply Reply Quote 0
        • M
          mauro.tridici @heper
          last edited by

          @heper many thanks, it is a very simple solution.
          I appreciated it.
          Do you know if we can also create a group of rules and "copy & paste" them on each interface? (maybe it's a too fanciful idea).

          Thanks,
          Mauro

          1 Reply Last reply Reply Quote 0
          • M
            mauro.tridici @Jarhead
            last edited by

            @jarhead, in our case, each interface has a "accept any/any" very basic rule, just to test connectivity.
            But, now, we are going to define the final firewall rules. Or, at least, we are thinking about them.

            NogBadTheBadN J 2 Replies Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @mauro.tridici
              last edited by NogBadTheBad

              @mauro-tridici You could also use interface groups.

              https://docs.netgate.com/pfsense/en/latest/interfaces/groups.html

              The rule processing order for user rules is:-

              Floating rules
              Interface group rules
              Rules on the interface directly

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              M 1 Reply Last reply Reply Quote 1
              • J
                Jarhead @mauro.tridici
                last edited by

                @mauro-tridici said in Searching for the fastest way to isolate each VLANs using pfSense firewall rules:

                @jarhead, in our case, each interface has a "accept any/any" very basic rule, just to test connectivity.
                But, now, we are going to define the final firewall rules. Or, at least, we are thinking about them.

                Gotcha, thought you had no rules yet.

                So there's a button on the rules themselves, all the way to the right, that will copy the rule. Third icon.
                Click that, then change the interface it's on to copy to different interfaces.

                1 Reply Last reply Reply Quote 1
                • M
                  mer
                  last edited by

                  If you remove the any to any, you have the default block behavior.

                  Then all you need to do is on all OPTs except for 9&10 is allow in from OPT9|10. I think an interface group of OPT1-8 and an interface group rule would do that.
                  Traffic out of OPT9 to OPT1 should wind up creating a state so the traffic back from OPT1 to OPT9 should be allowed back in.
                  OPT9 and OPT10 you could either put interface rules or just add them to the interface group.

                  Basically what @NogBadTheBad is saying.

                  Simple rules are always easier to debug

                  NogBadTheBadN 1 Reply Last reply Reply Quote 1
                  • NogBadTheBadN
                    NogBadTheBad @mer
                    last edited by NogBadTheBad

                    Something like this.

                    Screenshot 2022-07-19 at 15.54.08.png Screenshot 2022-07-19 at 15.54.18.png Screenshot 2022-07-19 at 15.54.32.png Screenshot 2022-07-19 at 15.54.42.png Screenshot 2022-07-19 at 15.57.02.pngScreenshot 2022-07-19 at 16.00.29.png

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 2
                    • M
                      mauro.tridici @NogBadTheBad
                      last edited by

                      @nogbadthebad many thanks for your help. Appreciated.

                      NogBadTheBadN 1 Reply Last reply Reply Quote 1
                      • NogBadTheBadN
                        NogBadTheBad @mauro.tridici
                        last edited by

                        @mauro-tridici No worries your welcome, I do however think you trying to simplify things may make it a bit harder for you in the long run 😀

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        johnpozJ 1 Reply Last reply Reply Quote 1
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @NogBadTheBad
                          last edited by

                          @nogbadthebad said in Searching for the fastest way to isolate each VLANs using pfSense firewall rules:

                          may make it a bit harder for you in the long run

                          I concur with this sentiment, vs looking for some shortcut on how few rules you can create to allow or block whatever you would be better off putting very explicit rules on each interface tab.

                          If your looking for simple way to block access to other vlans, assume all your vlans are rfc1918 is just create an alias that has all rfc1918 space. And use that alias on a rule on each interface to block access to your other vlans.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.