What's needed
-
You don't have to GUI. You can backup your config, modify it, and then restore it. Course that will cause a reboot, but you can make major additions and changes by copy paste or find and replace. Used that method several times to change internet ips while keeping the same rules.
That is an awesome recommendation. I have a few changes to make for further testing and will give this a try, myself.
Thanks.
-
pod….. is a genius - assuming it works!!
It makes perfect sense - I'm 100% cross with myself for not think of doing that myself (I must be getting old!).
-
Yes, as podilarius say, the easyest way to do some "major" changes is editing the config.XML
You make a bakup of your working config, then create a "copy" of that bakup and edit the "copy" then make the needed changes ( i used it to reasign my interfaces ) save it, then upload (restore) the config to your pfSense, "reboot" and "all" your changes are done.
-
Creating these rules will take a bit of time - technically, there are 64 vLans (1-64) and a LAN and a WAN. Only half a dozen vLans and the VoIP one (which is 64) are in use (I've created everything so far for the full 64 - a bit OTT, I guess!!)
-
I've just had a bit of a worrying thought whilst entering Rich's suggestions.
What I need is for the non VoIP vLans to be secure from access from each other - which he's covered.
I need each vLan to be able to access the VoIP vLan - this also seems covered.
Now the bit that has worried me a bit!! Anyone who is on the VoIP vLan cannot be allowed access to the vLans - this is the bit that, possibly, seems to still be allowed/possible. -
I've just entered it all - but hit a problem.
I have a computer on vLan64 and another on vLan7. They DHCP fine but can't ping each other. I don't want the 64 net to ping the 7, but I need 7 to have access to the 64.
If I run tracert on 10.7.0.101 'TRACERT 10.64.0.100', it gets to 10.7.0.1 as the first step - but it doesn't get any further.
This suggests a major problem - help!!!
-
If I run tracert on 10.7.0.101 'TRACERT 10.64.0.100', it gets to 10.7.0.1 as the first step - but it doesn't get any further.
Have you checked the firewall log (Status -> System Logs, click on the Firewall tab)?
Is 10.64.0.100 configured to respond to tracert?
-
Ahhh
My ping attempts are registering as coming from the WAN rather than vLan3.
I now think I know the problem - just not how to fix it!
-
Maybe it's not blocking my pings - but doing its job? All the entries are IGMPs with a source of the router a destination of 224.0.0.1 (haven't a clue on that) on the interface of wan
-
All the entries are IGMPs with a source of the router a destination of 224.0.0.1 (haven't a clue on that) on the interface of wan
So if the firewall is dropping your traffic to 10.64.0.100 it is not logging it. For now you can ignore those entries in the firewall log which don't have a source IP address of 10.7.0.101 and a destination address of 10.64.0.100.
Please show your firewall rules for VLAN7 including any alias OR go through the rules for VLAN7 yourself to verify that access to vlan64 is allowed.
Another possibility is that 10.64.0.100 has some sort of firewall (e.g. Windows firewall) that is blocking tracert. Please check that out.
