Defining and maintaing FW and NAT rules for multiple VLAN's

louis2

I have a lot of vlan's which more or less should have the same rule sets (normal, float, nat)

Apart from the possibility to create an interface group, which hardly helps in this case, I have to define and maintain the rule-sets for each vlan on a per vlan / interface base, which is

• a lot of work !
• error prone !

Even for source or destination you can only choose from: "interface-name" or "interface-net". Options like "actual-vlan-address" and "actual-vlan-net" are not available

An option to define a firewall rule groups, which could be applied to multiple interfaces / vlan's would reduce the number of rules to enter and to maintain enormously !!
(I estimate it would the number of rules in a lot of cases with more than a factor 3)

Example:
vlan-1

• rule a,b,c,
• a ruleset-1 (equivalent of x-rules)
• rule d
• a ruleset-4 (equivalent of y-rules)
• rule e,f

vlan-2

• a more or less equal sequence

I did raise a feature request for this a couple of days ago.

However, given the fact that this functionality is not present yet (I hope). For the moment I am even considering editing the config file (what I do not like)

Any suggestions !?

Jarhead

@louis2
Create the rules you need on one vlan. Then use the copy icon and change the interface it's on and any other specifics, and the rule will be copied to the other interface.

It's not that difficult, but does take some time.
But once they're done it's done.

Are you thinking you are going to have to change these rules?

louis2

@jarhead

I know you can copy rules and you there is also an option to define interface groups (which I use).

However, rules applied to an interface group are always in front of the vlan specific rules.

And you can not use "actual-vlan-address" and "actual-vlan-net" in that rule set, since those options are not available. So you can never define a rule in the interface group selecting on either the actual vlan's source or destination addresses.

So severe limitations there, only in the beginning, no vlan based address selections ....

And yet copying a rule helps to a certain extend, but

• you mostly have to change the vlan-selection fields
• you have to do an awful lot of copy and past actions
• you often have to position the pasted rule to the wanted / correct position
• and if something changes you have to correct it every where

IMHO .... that is far from efficient and error prone

viragomann

@louis2 said in Defining and maintaing FW and NAT rules for multiple VLAN's:

And you can not use "actual-vlan-address" and "actual-vlan-net" in that rule set, since those options are not available. So you can never define a rule in the interface group selecting on either the actual vlan's source or destination addresses.

Maybe you can express the rule parameters more universally.

The "actual-vlan-net" is only meaningful in sources. You can either use any here or an alias, which includes all desired networks.
However, an IP out of the interface subnet will be unable to communicate with pfSense anyway.

Instead of "actual-vlan-net" you can use "This firewall".