Rules for multiple VLANs

mrguitar

Hello again. I'm working on migrating from a fortigate 200a to pfsense. Our current setup requires 22 VLANs that have full outbound access (anything on the internet) but that cannot access any other VLAN or LAN. Lan needs to access everything, but each vlan must be 100% isolated. I can make it work by righting a 22+ rules per VLAN, but that's a lot of rules for the firewall to parse, and a pain in the @$$. W/ Fortinet's interface I can write a rule VLAN 5 -> WAN1 and it does everything I need. Is there a way to write rules in pfsense using "interfaces" as the destination? Selecting WAN address doesn't exactly work for me. :(

I'm running v. 1.2.1 w/ an intel Pro 1000 & old 3com was the WAN int (that will be upgraded if I can make this work).

I've been searching the forums and I feel like I'm missing something stupid & obvious. Thanks in advance for the help.

jimp

Not really a solution but some ideas that might lead to one:

Are the networks all in similar private subnets?
If they were all 192.168.x.x, you could block traffic to 192.168.0.0/16 that wasn't part of its own network.

Not that it would be much better to manage, but you could also have aliases that consist of disallowed networks for each vlan, and have one rule that references the alias.

I agree, though, it seems like there should be a much easier way to accomplish the task.

mrguitar

Thanks Jimp.

My ip scheme is 10.10.VLAN ID.X/24

10.10.5.0/24,10.10.6.0/24 etc…

Since the third octet is different in each subnet I think it would require the same large number of rules, unless I'm missing a better way to do this. I had thought about creating Aliases, and that's probably a better approach than writing 484 rules. yikes!

I wish that the drop down box had "WAN Access" or something. That would solve the situation.

GruensFroeschli

I do such setups all the time.

Create an alias containing all the subnets you have. (in screenshot called "local_subnets")

1: The first rule is to ensure access to the pfSense itself to be able to access the DNS-forwarder.
2: The second rule is multiWAN specific
3: The third rule is what interests you. The destination is set to : "NOT local_subnets"

Like this users from the specific subnet can access anything except the subnets you defined in "local_subnets"

rule.JPG_thumb

mrguitar

Ah. Genius.

…and they can still access PCs on the same subnet/vlan because that doesn't get routed. I love it.

...trying it now.

jimp

@mrguitar:

Thanks Jimp.

My ip scheme is 10.10.VLAN ID.X/24

10.10.5.0/24,10.10.6.0/24 etc…

Since the third octet is different in each subnet I think it would require the same large number of rules, unless I'm missing a better way to do this. I had thought about creating Aliases, and that's probably a better approach than writing 484 rules. yikes!

You could still encompass all of these subnets with "10.10.0.0/16" and only use one rule.

mrguitar

Yeah that is easier since it doesn't matter if the local subnet is blocked.

You guys rock. & thanks for my 1.2.1 X-mas present. ;)

MrD

Hello,

(As my question is around this topic I post it here instead of creating a new one)

I would like to creat allow rules from different VLANs with 1 rule…

Exemple: allow acces to the web from all VLANs (from one rule)

I have created a rule as explained upper with succes but this rule has to be created in each VLAN.
Is there a way to create an outgoing rule one time (on one VLAN?) wich will work for several VLANs

If my question is not clear, not clearly explained, don't hesitate to tell me.

Thanks

David

jimp

@MrD:

(As my question is around this topic I post it here instead of creating a new one)

I would like to creat allow rules from different VLANs with 1 rule…

Exemple: allow acces to the web from all VLANs (from one rule)

I have created a rule as explained upper with succes but this rule has to be created in each VLAN.
Is there a way to create an outgoing rule one time (on one VLAN?) wich will work for several VLANs

If my question is not clear, not clearly explained, don't hesitate to tell me.

This is not possible with pfSense 1.2.x, but it is in 2.0-alpha. There, you can configure an "interface group" and then add rules to the group. In 1.2.x, you must add rules to every interface.

MrD

Thanks for information

Have a nice day

D