VLAN to VLAN

wallabybob

Please post your firewall rules for interfaces LAN, VoIP and Video.

asterix

Standard Rules. Same like default LAN. Always had these in.

ID Proto Source Port Destination Port Gateway Queue Schedule Description

TCP/UDP VOIP net * * * * none   VoIP

ID Proto Source Port Destination Port Gateway Queue Schedule Description

TCP/UDP VIDEO net * * * * none   Video

ID Proto Source Port Destination Port Gateway Queue Schedule Description

• LAN net * * * * none   Default allow LAN to any rule

Swordforthelord

If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

TCP/UDP    VOIP net    *    VOIP net  *    *    none        VoIP

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

TCP/UDP    VIDEO net    *    VIDEO net    *    *    none        Video

ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

*    LAN net    *    LAN net    *    *    none        Default allow LAN to any rule

The only other thing you need is a rule to allow internet access to each VLAN as well; I would provide it but I am in the process of figuring that part out myself.  Assuming your VLANs all have different subnets, perhaps when you tested originally, the devices you pinged had their own firewalls which blocked the traffic from a different subnet and the device you pinged recently does not.  All supposition of course, not knowing all the details of your setup.

wallabybob

I assume those rules posted are PASS rules rather than BLOCK rules.

Firewall rules are processed top down, terminating on first match.

On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

ID   Proto     Source   Port   Destination   Port   Gateway   Queue   Schedule   Description  
BLOCK     TCP/UDP    VOIP net    *    VIDEO net      *        *        none             Block VoIPnet to Videonet
BLOCK     TCP/UDP    VOIP net    *    LANnet         *        *        none             Block  VoIPnet to LAN net        
ALLOW     TCP/UDP    VOIP net    *    *              *        *        none             Allow VoIP to everywhere else

You might want to enable logging on some of the block rules to see who is trying to get somewhere they shouldn't go.

stephenw10

@Swordforthelord:

If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
   
   TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

Steve

GruensFroeschli

An even easier solution would be to use aliases.

Create an alias containing all your local subnets.
Assuming that all your local subnets are RFC1918:

Alias: rfc1918_nets
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Now create a single allow rule with as destination NOT the rfc1918_net alias.

ID   Proto     Source   Port   Destination     Port   Gateway   Queue   Schedule   Description  
ALLOW     TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none             Allow all destinations except local ones.

Swordforthelord

I know, I said that in my post.  :)

@stephenw10:

@Swordforthelord:

If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
   
   TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

Steve

stephenw10

@Swordforthelord
Ah OK, should have read more carefully!  :-[

Still the rules you have posted there do virtually nothing. They only allow traffic to access services on the pfSense box itself.
Clearly there is no need to allow traffic with source subnet123 and destination subnet123 as most of this traffic is not going through pfSense anyway.

@GruensFroeschli
I use an alias just as you've described however I've always wondered if such an alias does not exist anyway. It seems to be used in the 'block private networks' rule if enabled. Does it exist behind the scenes?

Steve

asterix

All,
The LAN rule is the default rule set during pfsense install. I did not create it. Other posts on these forums showed how to give the VoIP and Video VLANs access to the internet and that's what I have put in the rules.

Furthermore, these rules were in effect since last 4 months with no issues. I was not able to communicate with the other VLANs from one. In fact I had posted this very topic where I was not able to get VLANs talk to each other and I was advised not to do it for security purposes and it made sense.

Now the problem I do not want the VLANs seeing or talking to each other. I have not changed anything on the smart switch since the day the network has been configured.

Maybe I need to do a clean install of pfSense?

stephenw10

Well I don't understand how that could have happened.  :-
The rules you posted here will allow traffic between interfaces.
I suggest you do as GruensFroeschli  described above:
Create an alias that contains all your local subnets.
Change the firewall rules for each interface to allow traffic with destination 'not local subnets'.
You will also so have to put in a rule above that to allow access to the pfSense DNS forwarder on port 53 on the VLANs.

Steve

asterix

I have the same subnet mask (24) across all 3 VLAN's. Could that be an issue?

WAN (wan)              -> em0          -> x.x.x.x (DHCP)
LAN (lan)                  -> em1_vlan1  -> 10.0.1.1 (earlier it was subnet mask 8, could this be why I couldn't ping other VLANs)
VOIP (opt1)              -> em1_vlan2  -> 10.0.2.1
VIDEO (opt2)            -> em1_vlan3  -> 10.0.3.1

Nachtfalke

The only way to be sure, that there is no connection/communication between different VLANs is this:
@wallabybob:

I assume those rules posted are PASS rules rather than BLOCK rules.

Firewall rules are processed top down, terminating on first match.

On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

ID  Proto    Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
BLOCK    TCP/UDP    VOIP net    *    VIDEO net      *        *        none            Block VoIPnet to Videonet
BLOCK    TCP/UDP    VOIP net    *    LANnet        *        *        none            Block  VoIPnet to LAN net       
ALLOW    TCP/UDP    VOIP net    *    *              *        *        none            Allow VoIP to everywhere else

or this one:

@GruensFroeschli:

An even easier solution would be to use aliases.

Create an alias containing all your local subnets.
Assuming that all your local subnets are RFC1918:

Alias: rfc1918_nets
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Now create a single allow rule with as destination NOT the rfc1918_net alias.

ID  Proto    Source  Port  Destination    Port  Gateway  Queue  Schedule  Description 
ALLOW    TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none            Allow all destinations except local ones.