Blocking ICMP doesn't work (in some cases) ?
-
Hi, simple situation:
I have multiple VLANS, in 1 of them I have 2 servers, I want to block all ICMP traffic between these 2 servers, I added the following firewall rule
Protocol: IPv4 ICMP(any)
Source: SERVERS net
Port: *
Destination: any
Port: *¨Whe I try pinging google.com for example, the rule works, it doesn't let me ping. But when I try pinging between the 2 servers in the same vlan, it still just pings. This blocking rule is at the top of the rules list.
What am I missing?
-
@houseofdreams said in Blocking ICMP doesn't work (in some cases) ?:
But when I try pinging between the 2 servers in the same vlan, it still just pings.
This traffic doesn't pass the firewall as long as both are connected to different interfaces (bridged).
-
Both servers are VM's (esxi), is there no way to get this working (or actually blocking)?
So if pinging still works, I assume all other internal connections are also not blocked, no matter what firewall rules I have set?
-
@houseofdreams
If the network is virtualized just add an additional virtual network on ESXi and connect pfSense and one of the VMs to it.@houseofdreams
If the network is virtualized just add an additional virtual network on ESXi and connect pfSense and one of the VMs to it.pfSense cannot block any traffic, which doesn't pass it.
-
@houseofdreams as mentioned pfsense is not involved in communications between devices on the same network. Put them in different vlans, or you would have to do something on your esxi to keep them from talking.. I think vmware NSX can do what you would call a private vlan or micro-segmentation.. And keep them from talking.
But there is nothing pfsense can do, unless the traffic goes across pfsense interfaces.
