Disable routing between VLANs
-
Thank you for your reply, sorry for the delay but I installed a new test pfsense because I want to try a new - very simple - installation to see If I done something wrong.
I installed a new machine with the 1.0.1 iso CD, then I updated to 1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense snapshot.
I created 2 vlans on the internal network (em0):
*** Welcome to pfSense 1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense on pfsense ***
LAN* -> em0 -> 10.0.2.254
WAN* -> fxp0 -> 194.116.164.113
OPT1(v3) -> vlan0 -> 10.0.3.254
OPT2(v4) -> vlan1 -> 10.0.4.254I connected two workstations: the first on the vlan 3 (10.0.3.63), the other on the vlan 4 (10.0.4.62).
If I attached the two workstations alone on the switch (on two distinct vlans defined of the switch) the two workstations don't ping, if I connect the pfsense machine (on the switch port defined as vlan 1/trunk) the 10.0.3.63 can ping 10.0.4.62 (and vice versa). I have to define a deny rule to avoid workstations connections.
Vlans are useful because at layer 2 level (on the switch) I can isolate the different work groups, vlan are safe because are very simple to configure and isolate.
If I have to specify the correct rules when I define new vlan (otherwise I create a big security problem because different vlans can connect) I create a possible security entry point.The above are the reasons because I ask if is possible to disable routing globally.
Any conseil will be appreciated.
-
With a lot of vlans i would do something like on the attach picture.
-
I would recommend doing as Perry showed. There is no way to disable routing without breaking all functionality.
-
Thank you for the suggestions.
What I have not understood is why if I don't specify any rule, traffic between different vlan pass. I thought (I read on the documentation) that Default policy was block.
Hosts on same VLAN don't need to pass through firewall, so I don't need the rule Pass from [Net12 net] to [192.168.12.0/24], as you know Layer 2 switches automatically connect hosts on the same VLAN (just like a physical connection).
My work is guarantee isolation between different workgroups. Workstations are managed by individuals (workstation management is not my task).
I can limit access by IP address using firewall rules but the user can change her IP address and bypass the rule. Workgroup constantly purchases new workstations or notebooks and the setup is self done.The above is the reason because routing between VLAN has to be disabled.
The default behaviour that allow traffic pass between vlans is by design or is a bug?
Davide
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
VLANs on my switch are correclty setup: if I unplug the firewall from the switch hosts don't communicate. So is pfSense that do the routing. I'm working with a clean pfsense installation (1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense) in a test environment (after I saw the problem for the first time in production).
Any advice will be appreciated.
-
No one reproduced the problem?
Someone has same type of installation (pfSense using VLANS) with same version (1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense) that works correctly?
Any feedback will be appreciated.
-
It's a configuration issue of some sort, traffic that is not allowed gets denied. I just tested it with my VLAN setup and it worked so well it dropped me off the Internet, from accessing other VLAN's, and from getting into the webGUI! It took me 15 minutes to find a machine to let myself back in… :P
There are a LOT of people running VLAN setups with similar versions as you and don't have any issues.
Go to status.php and paste the entire screen here, or if you'd rather not publicly post it, email it to me at cbuechler@gmail.com.
-
What's name and model of the switch, maybe someone can reproduce it that way?
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
Ok,
sorry sorry sorry to everyone :-[. I reset my switch to default and I reconfigured all the VLANs and now all is working as expected. -
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
Ok,
sorry sorry sorry to everyone :-[. I reset my switch to default and I reconfigured all the VLANs and now all is working as expected.
[/quote]It's better that it turned out this way than having a bug in pfSense ;)
-
I just went through the same sequence of events, only it turned out that it really was pfSense that was allowing/routing packets between subnets.
I tried to create a rule to block traffic from one network to the other, but it didn't work. I tried placing that rule both before and after the default 'Allow/any' rule, no luck. The only solution I found was to add 'not destination other VLAN' to the 'Allow/any' rule. Now my traffic is restricted to its own VLAN. I'm on 1.2-RC2 built on Mon Aug 20 12:33:48 EDT 2007.
-
If you remove ALL rules everything should be blocked (there is an invisible block everything rule that is always there)
Try to add then rules that allow only what you want to allow. Not an Allow all rule and then add other rules that block specific traffic. -
Block rules work fine if you put them in the right order and configure them correctly.
One thing you may see, for example if you run a constant ping and then block that ping, the existing state doesn't get cleared by the firewall rule change (which is how virtually all commercial and open source firewalls work) so the pings will still get passed until you stop them and the state closes.
-
That's really good to know. I'm almost positive I was a victim of that very scenario. Thanks for the tip.
