How to block default LAN from accessing VLAN ?
-
First time user of pfSense and first time post here. I did search the forums but didn't find an answer to my question.
I just purchased and set up a Netgate 2100. I added a VLAN for my Wi-Fi access point using port 4 and VLAN tag 4084 per the documentation. I then added a second VLAN on port 3, tagged it 4083, again following the documentation.
Now I would like to block the default LAN users from accessing my VLAN 4083 devices ?
I have read and re-read the documentation but I don't understand how to accomplish this. Any help would be appreciated !
-
@KC2020 You would put a rule on the LAN interface blocking access to the Vlan. Rules are evaluated top down, so it would need to be above the default Any Any rule.
-
@Jarhead OK so like this ?
Action: Block
Interface: LAN
Protocol: Any
Source: Any ( or should it be LAN address ?)
Destination: NAS918 subnets -
@KC2020 said in How to block default LAN from accessing VLAN ?:
Source: Any ( or should it be LAN address ?)
No, any is fine here. You can state "LAN subnets", since there should be no other sources seen.
But "LAN address" is the LAN interface of pfSense itself. So this would not be applicable. -
@viragomann said in How to block default LAN from accessing VLAN ?:
@KC2020 said in How to block default LAN from accessing VLAN ?:
Source: Any ( or should it be LAN address ?)
No, any is fine here. You can state "LAN subnets", since there should be no other sources seen.
But "LAN address" is the LAN interface of pfSense itself. So this would not be applicable.Great ! Thank you guys !
I think I get it now. Where to place a rule and how it controls access / traffic isn't difficult but it sure isn't obvious either.
-
@KC2020 Just remember this. Traffic is evaluated as it enters an interface FROM the attached network of that interface. Once it's in the interface it can go wherever you allow it to.
So if you don't want traffic to go to the vlan, you block it at the source interface. -
@KC2020 said in How to block default LAN from accessing VLAN ?:
sn't difficult but it sure isn't obvious either
And how would you think it should be done - what would be "obvious" to you? Do you just let people enter your house without knocking on the front door.. Or do you stop them at the front door and ask what they want.
And then either allow them or deny them depending on what they ask before you enter the house..
Maybe they are JW and want to talk to you about their god, so you turn them away. Or maybe its your neighbor and he just wants to use your bathroom because his is being remodeled.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@Jarhead said in How to block default LAN from accessing VLAN ?:
@KC2020 Just remember this. Traffic is evaluated as it enters an interface FROM the attached network of that interface. Once it's in the interface it can go wherever you allow it to.
So if you don't want traffic to go to the vlan, you block it at the source interface.Thanks
-
@johnpoz said in How to block default LAN from accessing VLAN ?:
@KC2020 said in How to block default LAN from accessing VLAN ?:
sn't difficult but it sure isn't obvious either
And how would you think it should be done - what would be "obvious" to you? Do you just let people enter your house without knocking on the front door.. Or do you stop them at the front door and ask what they want.
And then either allow them or deny them depending on what they ask before you enter the house..
Maybe they are JW and want to talk to you about their god, so you turn them away. Or maybe it's your neighbor and he just wants to use your bathroom because his is being remodeled.
But with your analogy I'm in the VLAN choosing to open the door or not and what I'm understanding now is that the control is on the outside of the door, from the LAN not allowing anyone to come to my door.
So yes, this wasn't obvious to me.
-
Or you can inside Firewall / Aliases / IP
Name: Block_Private
Network or FQDN:
10.0.0.0/8
100.64.0.0/10
192.0.0.0/24
198.18.0.0/15
192.168.0.0/16Then go on Firewall / Rules / interface for example Local
Action: Block
Protocol: Any
Source Address: Address or Alias and call Block_Private
Dest. Address: Any
And enable Log packets that are handled by this ruleThis is what testing on Lab
-
@KC2020 said in How to block default LAN from accessing VLAN ?:
But with your analogy I'm in the VLAN choosing to open the door or not and what I'm understanding now is that the control is on the outside of the door, from the LAN not allowing anyone to come to my door.
So yes, this wasn't obvious to me.
Nope, you want to block the LAN from accessing the vlan so You're not in the vlan. Actually has nothing to do with the vlan.
John's analogy is correct. Now you know for the next time.
-
There is also a door connected to your vlan, lets call this your backdoor, or side door that is on your garage, etc..
Maybe that JW is knocking on the side door of your house vs the front door (lan).. Your going to control if you let him in or not at that door...
Think of pfsense as your house, and your inside of it.. When someone knocks on a door, be it your lan or wan or optX or vlanX running on your lan interface. They are outside your house wanting to enter, while its only transit to walk through the house, say from the front door to the backyard (wan).. Or you side yard (garage door for example)... You put a rule on your lan that says hey you can go to the backyard, but you can't go to the side yard.. If they are wanting to go to the backyard you allow, if they want to go to your side yard you deny them. Why would you want anyone tracking their muddy shows through your house just to stop them from entering the side yard with a guard outside your side yard door checking if people leaving your house can enter the yard.
You check where they are going before you let them into your house.. And either allow it or not before they enter the house.
The only time you have someone standing outside the doors of your house is when you use floating rules and you set the direction to outbound.. Now you have placed a guard also outside the door, he doesn't check people knocking on the door, he checks them leaving the door..
Hey wait a minute there buddy, You can't go into the back yard... I don't care that he let you in the front door (lan)..
-
OK, so in the LAN I'm setting rules that allow or block access to a specific VLAN that's identified in the rule.
And what @sysbitnet is saying is I can use an alias to group all the VLANs and put them in 1 rule.
-
@KC2020 sure you can do that.. I have a rfc1918 alias that I use to block a access to any of my other vlans, and any vlans I might add in the future..
-
@johnpoz said in How to block default LAN from accessing VLAN ?:
@KC2020 sure you can do that.. I have a rfc1918 alias that I use to block a access to any of my other vlans, and any vlans I might add in the future..
Thanks I get the alias function. I created the an RFC1918 alias for my Wi-Fi Guest network.
I just tested the VLAN rule on my LAN and of course it works. More importantly I now understand how and why it's placed on the LAN.
Thanks again for all the help guys !
-
@johnpoz yeah and you most often lock your doors at night so why not lock your network at specific time also.
