Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Vlan trunking isolation problem SOLVED

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamengual
      last edited by

      Hi guys.

      I just install a psSense machine connected to a linksys switch with trunking, vlan tagging and so on.

      I assigned the interfaces and vlan and create per each vlan different dhcp ranges and is working ok.

      The only problem that I have is that pfSense is routing the traffic between vlans, so that means that a computer in Vlan10 can see a computer in Vlan20 and that is not the idea, I want to isolate the vlans complete from each other and give nat and etc per each one.

      I found the way to do that creating firewalls rules and groups but….

      why if I add a rule for vlan10 to go to any destination it can reach vlan20 ?

      there any way to isolate the traffic between vlan on pfSense without creating firewall rules ?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • B
        blak111
        last edited by

        You could just modify the current allow rules to say not to your local networks.

        1 Reply Last reply Reply Quote 0
        • J
          jamengual
          last edited by

          That what I did.

          I create a group with my 13 vlans and then I create a 3 rules in each vlan interface :

          One blocking the traffic from that vlan subnet to all the vlans
          One allowing the traffic from the vlan subnet to itself
          One allowing the traffic from vlan subnet to any

          That is the way that I use, but I was thinking in a more easy solution, like the switch itself that not permit traffic between different vlan or like the wireless access point that you can disable the communication peer to peer between clients.

          That is my idea, but I don't know if there is any other way to do it.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            What you want is to use a routing switch and in my book it's probably one of the coolest things about pfSense that you don't need one.

            Before pfSense:
            Firewall -> Routing switch -> Vlan switch
            With pfSense:
            pfSense -> Vlan switch

            So it wouldn't be easier because all the rules would have to be created on the routing switch, leaving pfSense to function as plain cheap old firewall.

            I think your maybe are too focus on opt nic's as vlan's and not as lan2 lan3 etc ( did that make sense :) ).

            Instead of creating alias with subnet i use CIDR in rules
            Block Lan3 net to 192.168.0.0/16  Default block all local subnets

            Hope it somehow help ;)

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • J
              jamengual
              last edited by

              That's really make sense.

              I never thought about that.

              and…the CIDR rules is the way to go, I just realize that my range of per-vlan subnet are all start 192.168.x.x and of course I need only one rule to solve it.

              I think that I was to inside of the problem without looking all the possibilities.

              Thanks a lot.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.