Need Help With Firewall rules and VLAN
-
Hi,
I've searched the forums for help but it has been confusing for a newb. Here is what I want to do:
I have a pfsense box with 4 lans (10,20,30,40).
-All lans must be able to access the internet
-Lan 10 must be able to access lans 20,30,40
-lans 20,30,40 cannot access lan 10.I have played around with aliases and firewall rules but can't seem to get the result I want. If anybody could help or post some scree shots that would be of much help.
Thank You
-
Post Screenshots of your Rules (Lans 10 20 30 40)
-
4 networks (vlans) LAN, opt1, opt 2 and opt 3
So far this is what I got on all four, I have removed all the rules I`ve been playing with and the internet works on all 4 lans. Now I just need to know how to block inter lan communications with the exception of lan to opt1-3.
I think I need a block rule something like this for lan:
Source opt 1 net , destination lan net
Source opt 2 net , destination lan net
Source opt 3 net , destination lan net
-
Do you want to block only from lan to vlans?
if so you could do network alias and put there all the vlan subnets.
after that make a following ruleAction: Block Disabled: unchecked Interface: LAN Protocol: Any Source: LAN Subnet Destination: select "Single host or alias" and type your newly created alias name to the following box Description: something useful
Make sure, that this rule is second rule from top
-
No the other way around, I want to block all opt and lan interfaces communicating from each other, ie isolating them to nothing but the internet.
opt1 to opt 2, opt 3 and lan = block
opt2 to opt1, opt3 and lan = block
opt3 to opt 1, opt2 and lan = blockWhile we're at it I also want to block the web configuration portal from all the opt interfaces as well.
But if possible I would like to be able to communicate from lan to the opt interfaces so that I can configure access points and such.
lan to opt1, opt2 and opt3 = pass -
if so you could do network alias and put there all the vlan subnets.
after that make a following ruleAction: Block Disabled: unchecked Interface: LAN Protocol: Any Source: LAN Subnet Destination: select "Single host or alias" and type your newly created alias name to the following box Description: something useful
Make sure, that this rule is second rule from top
After much thinking I took this suggestion and modified it as follows:
-created 3 aliases (lan, opt2, opt3), (lan, opt1, opt3) and (lan, opt1, opt2)
-created firewall rules on each opt interface:Action: Block Disabled: unchecked Interface: opt1 (opt2, opt3) Protocol: Any Source: opt1 (opt2, opt3) Subnet Destination: Single host or alias , selected alias1 (alias2, alias3) Description: something useful
Doing this has allowed me to block optx to lan traffic and still have the internet on the optx interfaces.
I am able to access the optx vlans from lan.
As for blocking web gui from the optx interfaces, I created an alias with the fixed ips for lan and optx interfaces and created the following rule on the optx interfaces:
Action: Block Disabled: unchecked Interface: opt1 (opt2, opt3) Protocol: tcp/udp Source: opt1 (opt2, opt3) Subnet Destination: Single host or alias , selected alias_fixed_ips Port: 443 (HTTPS) Description: something useful
That seems to have done the trick.
If I missed something or if there is a better way of doing it, please let me know.
-
Are the subnets 10/20/30/40 part of the same supernet? If so, you could just block that on every interface.
i.e. on LAN 192.168.20.0/24 you could just block 192.168.0.0/16 which would contain all other subnets without having to use an alias.
If you want to use an alias, a single one containing 10/20/30/40 should be enough - traffic destinated at the local subnet won't reach the firewall anyway, so there is no need to have several aliases each containing all but the current subnet.
-
This guide has screenshots about firewalling your VLANS. This is what I have used in the past.
http://networktechnical.blogspot.com/2007/04/pfsense-how-to-setup-vlans.html