cannot block cross traffic on sg-2100
-
Hello All!
I have a sg-2100 with LAN (192.168.1.1/24) , VLAN1 (192.168.2.1/24), VLAN2 (192.168.3.1/24)
All work fine as far as web access.
But, if I ping from VLAN1 to LAN, it pings successfully. Have tried blocking with firewall rules in PfSense to no avail.
Is the native LAN at fault? My Protectli FW with Pfsense and Netgate SG=4860 blocks all cross traffic using firewall rules to block all traffic between networks (not slamming netgate).
I need to restrict traffic from VLAN1 &2 to WAN only. Any suggestions?
-
@detox if you defined the VLANs on the 2100 you can block inter-VLAN traffic. The firewall rules for a LAN/VLAN apply to traffic origination in the network you create the firewall rule in.
- Per default there are no firewall rules generate for additional interfaces like VLAN1 and VLAN2
- The default LAN allow all firewall rules allows LAN clients to access everything, including other networks you create later
E.g. to allow VLAN1 to access internet only you create one firewall with source 'VLAN1 net' and destination "! (not) LAN and VLAN2".
Best is to create an alias where you add the local networks, LAN, VLAN1 & VLAN2 and use that alias as the (not) destination.There is a lot of information about that on this forum and the internet, search for "pfSense block inter-VLAN access" or "pfSense VLAN internet access only".
Posting your firewall rules will certainly help, too.
-
@detox said in cannot block cross traffic on sg-2100:
I need to restrict traffic from VLAN1 &2 to WAN only. Any suggestions?
See:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html#isolated -
@detox I hope your using vlan 1 as just place holder and not the actual ID of 1 - 1 is default vlan for like every swtich on the planet.
Use something other than 1 for your vlan ID.
Also common mistake users make when trying to block traffic. They test something can talk to something else (which creates a state) then they put in a block rule and don't understand why it doesn't block.
Well because the state is allowing the traffic.. You need to make sure you get rid of any existing states that would allow the traffic your wanting to block.. You can do that with kill in the diag states listing. Or you can wait for them to timeout on their own. Sledgehammer approach kill all the states, or reboot.
-
@johnpoz I have fell for it a few times in recent months when making rule changes. Starting to become a habit now to kill states.
-
OK Folks! Strike one up for "Attention to detail".....
I found the reason I could not block other local networks...
I have LAN, LAN1, and LAN2My block rule for Protocol was set to tcp.. not ANY. Changed the value and now I cannot look at any any other LAN besides the one I'm logged into.
Appreciate all the kind and supportive comments.
-
@detox haha - yup that would do it.. wrong protocol is another common problem users run into.. I believe when you create a new rule it defaults to just tcp.
Glad you got it sorted, and came back to close up the thread with answer.
So many times poster never comes back - so you don't know if they fixed their issue, gave up, etc. Can mark this tread solved for you if you want.
-
@johnpoz Happy to mark as closed .... How do I?
-
@detox you should be able to edit your first post and edit title with [solved] in the title, add tag.. If you can not - let me know and can do it for you. There might be some restrictions on rep ports or something - but you have 6, I would think that enough?
