Disable routing between VLANs
-
Thank you for the suggestions.
What I have not understood is why if I don't specify any rule, traffic between different vlan pass. I thought (I read on the documentation) that Default policy was block.
Hosts on same VLAN don't need to pass through firewall, so I don't need the rule Pass from [Net12 net] to [192.168.12.0/24], as you know Layer 2 switches automatically connect hosts on the same VLAN (just like a physical connection).
My work is guarantee isolation between different workgroups. Workstations are managed by individuals (workstation management is not my task).
I can limit access by IP address using firewall rules but the user can change her IP address and bypass the rule. Workgroup constantly purchases new workstations or notebooks and the setup is self done.The above is the reason because routing between VLAN has to be disabled.
The default behaviour that allow traffic pass between vlans is by design or is a bug?
Davide
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
VLANs on my switch are correclty setup: if I unplug the firewall from the switch hosts don't communicate. So is pfSense that do the routing. I'm working with a clean pfsense installation (1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense) in a test environment (after I saw the problem for the first time in production).
Any advice will be appreciated.
-
No one reproduced the problem?
Someone has same type of installation (pfSense using VLANS) with same version (1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07-pfSense) that works correctly?
Any feedback will be appreciated.
-
It's a configuration issue of some sort, traffic that is not allowed gets denied. I just tested it with my VLAN setup and it worked so well it dropped me off the Internet, from accessing other VLAN's, and from getting into the webGUI! It took me 15 minutes to find a machine to let myself back in… :P
There are a LOT of people running VLAN setups with similar versions as you and don't have any issues.
Go to status.php and paste the entire screen here, or if you'd rather not publicly post it, email it to me at cbuechler@gmail.com.
-
What's name and model of the switch, maybe someone can reproduce it that way?
-
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
Ok,
sorry sorry sorry to everyone :-[. I reset my switch to default and I reconfigured all the VLANs and now all is working as expected. -
It does block any not explicitly allowed traffic by default. If it is passing the traffic your switch is probably not set up correctly.
Ok,
sorry sorry sorry to everyone :-[. I reset my switch to default and I reconfigured all the VLANs and now all is working as expected.
[/quote]It's better that it turned out this way than having a bug in pfSense ;)
-
I just went through the same sequence of events, only it turned out that it really was pfSense that was allowing/routing packets between subnets.
I tried to create a rule to block traffic from one network to the other, but it didn't work. I tried placing that rule both before and after the default 'Allow/any' rule, no luck. The only solution I found was to add 'not destination other VLAN' to the 'Allow/any' rule. Now my traffic is restricted to its own VLAN. I'm on 1.2-RC2 built on Mon Aug 20 12:33:48 EDT 2007.
-
If you remove ALL rules everything should be blocked (there is an invisible block everything rule that is always there)
Try to add then rules that allow only what you want to allow. Not an Allow all rule and then add other rules that block specific traffic. -
Block rules work fine if you put them in the right order and configure them correctly.
One thing you may see, for example if you run a constant ping and then block that ping, the existing state doesn't get cleared by the firewall rule change (which is how virtually all commercial and open source firewalls work) so the pings will still get passed until you stop them and the state closes.
-
That's really good to know. I'm almost positive I was a victim of that very scenario. Thanks for the tip.
