Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to Block access to Admin SSH/WebGUI from VLANs

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by

      I've got a bunch of VLANS set up that are trunked into pfSense from an SG300 Switch.

      I want to block ADMIN access on many of the VLANS.  For Discussion use the follow setup:

      LAN defaults to VLAN 1 - 192.168.0.1/24, but I'm not using it for anything - em1 - only used to attach interfaces for other VLANs.

      VLAN 10 - 192.168.10.1/24 - No Access to WEB/SSH
      VLAN 20 - 192.168.20.1/24 - Want Admin Access
      VLAN 30 - 192.168.30.1/24 - No Access to WEB/SSH
      VLAN 40 - 192.168.40.1/24 - Want Admin Access
      VLAN 50 - 192.168.50.1/24 - No Access to WEB/SSH
      VLAN 60 - 192.168.60.1/24 - No Access to WEB/SSH

      What address do I firewall?  192.168.x.1 is the gateway, and it's also the IP address where ssh/http(s), listen so I can't block it can I - otherwise I would kill my connection.

      I've looked though https://doc.pfsense.org, and looked at Google, but I can't find anything relevant.

      Any assistance would be much appreciated.

      (I got the pfSense Gold hoping that I would find something there by way of case studies/examples of the type of thing that an advanced home/small business user would like to do. Ex: A couple of VLANs with access to internet, but isolation from each other and sensible firewall rules (with/without access to the admin interface on pfSense.)  There's bits and pieces all over the internet, but putting them together is a real challenge.  Documentation seems to either be way too simple, or for the enterprise network engineer.  Some by example cases (maybe even a config that could be imported into the virtual machine firewall would really add value for the pfSense Gold membership.)

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        You "Block" traffic destined to "This Firewall"  ;)

        https://forum.pfsense.org/index.php?topic=126736.msg699921#msg699921

        1 Reply Last reply Reply Quote 0
        • G
          guardian Rebel Alliance
          last edited by

          @ptt:

          You "Block" traffic destined to "This Firewall"  ;)

          https://forum.pfsense.org/index.php?topic=126736.msg699921#msg699921

          Thanks, I think that gave me what I needed to figure it out.

          I tried this in the floating rules, and I'm not sure why, but it didn't work.

          The alias source VM_LANS is a list of all the "Nets" (192.168.10.0/24,192.168.30.1/24, 192.168.50.1/24, 192.168.60.1/24)  that I want to block access for.

          So I put the following into the rules for each interface and it seemed to do the job.

          Can someone tell me  (or give me hint as to how to figure it out) why the floating rules failed?

          Isolate-Rules.png_thumb
          Isolate-Rules.png
          FloatingFailedRules.png_thumb
          FloatingFailedRules.png

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          1 Reply Last reply Reply Quote 0
          • D
            Deveilhuray
            last edited by

            I want to give it something to come up with something that must have something right.

            บอลชุด

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.