Thoughts on my firewall rules and a few questions
-
Hey guys, I just got my pfSense router configured with some VLANs and wanted some input on how I set up the firewall rules. They seem to work as I intend for the most part, though they probably could be reworked to achieve the same result with less rules, but my main issue is my PC CAN NOT ping across these VLANs. I suspect this has to do with my PC and not the firewall rules because other devices CAN ping across VLANs just as think they should given the firewall rules I set up.
Below I will include my firewall rules for each of my VLANs, what I'm trying to achieve with this setup, and what I have already tried to troubleshoot this
Here is what I'm trying to achieve:
LAN - 172.16.1.1/24 - Only devices on LAN are my unifi switch and AP
Guest VLAN - 172.16.70.1/24 - VLAN for guest devices (internet access only)
Home VLAN - 172.16.80.1/24 - VLAN for trusted devices at home (Needs access to NAS on Servers VLAN, and Philips Hue on IoT VLAN)
Servers VLAN - 172.16.100.1/24 - VLAN for all servers (NAS on Servers VLAN Needs access to IP Cameras on IoT VLAN)
IoT VLAN - 172.16.200.1/24 - VLAN for Iot devices (internet access only)
These are the firewall rules I have for each VLAN:
What I have tried:
- I have tested the firewall rules I have set up with my macbook connected to wifi on Servers VLAN by disabling a rule to block access to another VLAN pinging that VLAN sucessfuly then enabling the block rule and having the ping fail, so I know the rules are doing what I want so that shouldn't be the issue
2 . I have tried a different OS - My PC that will not ping between the VLANs dual boots Linux mint and Windows 11. I have tried on both these Operating Systems to ping across VLANs with no success
-
I have disabled the firewall completely on both Linux and win 11. This does not allow me to ping across VLANs
-
I have connected the PC in question to the network through the switch on the back of my pfSense router (netgate sg-2100), to the unifi switch connected to the pfSense router, and VIA WiFi. None of these connection methods allow for a ping across VLANs
Now that you hopefully have enough info about my network setup. These are my questions
-
Why can't this pc ping but others (VMs and Macbook) can?
-
If my IP cameras on on the IoT VLAN and the NAS the cameras record to is on the Servers VLAN do I need to allow both VLANs access to each other? Or can I have it set up as it is now, so only the Servers VLAN has access to the IoT VLAN, but IoT has no access to Servers VLAN. ( hopefully this makes sense )
-
Do my current rules accomplish what I have described here? If yes is there a way to refine them to accomplish the same thing with less rules? and if not how should I change it do achieve what I have described
-
Any other suggestions you have on things I can improve
This is my first post here so hopefully that's enough info. Please let me know if you need to know anything else, and thank you for taking the time to read all this. Any thoughts are appreciated, thanks.
-
@johan-2 Your Pc is on Home? Seems like it should work. Its gateway is correct? You can check for an open state when you ping…
On Guest you may want to block to This Firewall ports 80/443/22 if you don’t want guests to be able to log in to pfSense. Allow DNS though.
-
@steveits Yes, the PC is on Home. I just double checked the gateway and it is correct. What does check for an open state mean? I'm fairly new this. and I will block firewall on Guest I didn't think about that thanks.
-
@johan-2 https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering
If you click the link in the states column it will show you open states/connections. If one is created for your ping pfSense is passing the packet and therefore isn’t the issue.
Usually either a gateway is missing so the connection or reply can’t go anywhere, or a firewall on the target host doesn’t allow connections from a different subnet.
-
@steveits Well, I feel pretty stupid. I didn't think about my VPN so I turned it off and sure enough everything works fine now. Thanks for all your help and quick replies
-
@johan-2 Ah. Not using pfSense as the gateway, then. :)