• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Block Traffic Between Subnets?

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 5 Posters 4.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    Longhair
    last edited by Sep 17, 2014, 10:28 AM

    I would like to block traffic between subnets while having Internet access for all. I tried following this guide: Isolating Subnets in pfSense

    Unfortunately, I am not able to access the Internet anymore.

    I'm very new to pfSense and a lot of what I have been reading is going over my head.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 17, 2014, 11:26 AM Sep 17, 2014, 11:23 AM

      Why would try to use such a shitty guide??

      So lets call your "subnets" lan 1 and lan2?  I assume you have 2 lan interfaces on pfsense right - or are these vlans using one physical interface?

      So on lan1 or the default lan has a rule out of the box that is any any - this allows your lan clients to go wherever they want, internet, other segments connected to pfsense on OPT interfaces, etc.

      When you create a new segment on a new inteface, OPT1 for example there are not default rules - nothing.  If you want it to be the same as lan then you would create a new rule any any and everyone can talk to everyone.

      Now if you rename your lan to lan1 and your opt1 to lan2 the rules are this simple

      If you do not want lan1 to talk to lan2, simple rule change on that any any rule by default change it to dest ! Lan2

      On lan2 make dest ! lan1

      This rule mean NOT lan1 or NOT lan2 as your destination - so they can go to the internet, but they can not go to your other lan segment.

      See attached pictures

      1st pic is default lan rule rule that allows any any
      2nd pic is rule create on your 2nd segment just like default any any. - everyone can now to talk to everyone even internet.

      3rd pic is how you edit the rule - dest ! (not) and the other lan
      4th is showing rule for lan1 that can NOT go to lan2
      5th is showing rule for lan2 that can NOT got to lan 1

      Ther you go your segments can not not talk to each other.  If you want to allow specifics things to talk between then you would create the specific allow rule you want above the NOT rule.

      outofboxrules.png
      outofboxrules.png_thumb
      allowanyopt1-lan2.png
      allowanyopt1-lan2.png_thumb
      notrulecreation.png
      notrulecreation.png_thumb
      notlan2.png
      notlan2.png_thumb
      notlan1.png
      notlan1.png_thumb

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Sep 18, 2014, 2:03 AM

        Agreed, that guide is horrible. It seems to exhibit some pretty fundamental lack of understanding throughout.
        The OP wasn't to know that though.

        Steve

        1 Reply Last reply Reply Quote 0
        • L
          Longhair
          last edited by Sep 19, 2014, 9:41 AM

          johnpoz - Thank you very much for making it very easy to understand  :)

          I'm using a quad-port Intel nic in a spare computer (no VMs).

          It took a few minutes but I have it working now after following your post.

          When I had your 2nd pic rule (LAN2 … any) with the 5th pic rule (LAN2 net ... ! Lan1 net) together, nothing was blocked even when changing the order. Once I removed the Lan2 ... any rule, there is Internet access.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Sep 19, 2014, 6:26 PM

            @stephenw10:

            Agreed, that guide is horrible. It seems to exhibit some pretty fundamental lack of understanding throughout.
            The OP wasn't to know that though.

            I don't know this comment he makes at the bottom kind of tells me its gibberish ;)

            "It could very well be that my approach is STILL all wrong. Maybe it is catastrophically wrong! I feel stupid even posting this on the Internet,"

            "When I had your 2nd pic rule (LAN2 … any) with the 5th pic rule (LAN2 net ... ! Lan1 net) together"

            What rules did you have together - there should not be any rules together on your interfaces in this simple setup.  Only when you were going to make exceptions to this rule would you put rules above it.  Rules are parsed top down when looking at interfaces in pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • S
              stephenw10 Netgate Administrator
              last edited by Sep 19, 2014, 7:05 PM

              Ha! Yes.
              I meant the OP of this thread but I guess there were warnings.  ;)
              To be fair to the poster of that blog it's not written as a guide, more as a log of what didn't work for their own benefit.

              Steve

              1 Reply Last reply Reply Quote 0
              • L
                Longhair
                last edited by Dec 31, 2016, 3:05 PM

                After implementing these rules, I haven't touched the pfSense except to backup the configuration & update the release. I discovered this problem when I had Windows laptop set for Obtain an IP address automatically and had the static IP set in Alternate Configuration instead of Use the following IP Address.

                I'm running 2.3.2 (latest version) and the Windows DHCP Server (LAN) is handing out IP addresses for devices on other subnets (OPT1 & OPT2). It is not an option to turn off the Windows DHCP Server because it breaks the server.

                If you look closely at the image, you will see that Laptop 1 is connected to WAP-1 (Laptop 2 … WAP-2) but is getting an IP address for the LAN. No DHCP Server is running on OPT1 & OPT2 because static IP addresses are given.

                When I plug the WAPs directly into pfSense, the laptops were unable to get an IP address automatically and used the alternate configurations.

                Due to the location of pfSense, I have to run it from an unmanaged switch to another unmanaged switch. Moving things or running more cable is not an option so I need to have this fixed through the rules.

                pfs1.png
                pfs1.png_thumb

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Dec 31, 2016, 3:18 PM

                  WTF?! If all you have are dumb switches, then pfSense is supposed to be connected directly to your modem. Everything else goes behind it, through the switches (one switch per interface required).

                  1 Reply Last reply Reply Quote 0
                  • L
                    Longhair
                    last edited by Dec 31, 2016, 7:08 PM

                    @doktornotor:

                    WTF?! If all you have are dumb switches, then pfSense is supposed to be connected directly to your modem. Everything else goes behind it, through the switches (one switch per interface required).

                    The modem was placed in an area which only allowed enough space for an unmanaged switch and all the cables were run to that location long before my time. If I was able to have modem –> pfsense --> switch per interface, I would be doing it that way but that is not possible.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by Dec 31, 2016, 10:15 PM

                      You cannot do that. You need to separate all your LAN segments into VLANs using managed dot1q-capable gear.

                      You do not need to pull more cable. VLAN tagging allows you to run multiple, isolated layer 2 networks on one cable. You do need proper, managed switches however.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 1
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Jan 1, 2017, 1:30 PM

                        So why are you just coming back to this thread from 2014??  And where exactly is pfsense in those drawings?

                        But as stated your running multiple layer 3 over the same layer 2 - this is BORKED!!!  You need vlan capable switches to have more than 1 network on the same switch and be isolated.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • S
                          stephenw10 Netgate Administrator
                          last edited by Jan 1, 2017, 4:42 PM

                          Um, yeah you need VLANs if you can't physically moved the different bits of equipment.

                          Potentially your WAPs might be able to tag traffic directly and your unmanaged switches might pass that tagged traffic which would allow you to isolate that traffic to pfSense. But that still leaves WAN and LAN in the same layer 2 which is all wrong!

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received