"Bypass firewall rules for traffic on the same interface" versus VLANs

bmaster

Hello,

Our pfsense has 4 physical interfaces, one of which is, of course, the LAN interface. On this LAN interface, we defined multiple VLANs, which are in fact virtual interfaces in pfsense. In the advanced setting, we read about the setting "Bypass firewall rules for traffic on the same interface". Does this apply to virtual interfaces as well?  In other words: will traffic between two vlans (on the same physical lan) bypass the firewall when that setting is on? Also, is a change is that setting active immediately (will a ping stop receiving replies immediately for example)?

A while ago, we were strugling with this… all pings between vlan1 and vlanX were allowed, even if we put a blocking firewall rule as the first rule in the chain. The "bypass" setting didn't change this... hence the question about it being active immediately...

Thanks!
Tom

Derelict

No.  As far as pfSense is concerned, VLAN interfaces are separate, discrete interfaces.

That "Bypass firewall rules" checkbox is for certain asymmetric routing situations.

Firewall rule changes only apply to new states:

1. Start a ping from vlan1 to vlanX

2. Block ICMP on interface vlan1 to vlanX, Apply

3. pings started in step one still going through

4. Stop ping started in step 1

5. Start a new ping. It will be blocked.

If you want to enforce a new firewall change immediately, you need to apply the new rules then kill the old states.

bmaster

Got it, thanks for the very clear (and quick) explanation!

bmaster

I have another related question…

Our setup: 2 pfsense boxes with carp (working just fine for years)
Now, I'm testing with VLANs: I defined vlan 11 on the LAN interface: 10.11.1.2 (master), 10.11.1.3 (backup), 10.11.1.1 (carp virtual ip)
In the firewall rules, under the VLAN11 tab, I have no rules at all.
On a client computer, which is on a vlan 11 switchport, I try a couple of pings:

ping 10.11.1.1 -> no reply
ping 10.11.1.2 -> no reply
ping 10.11.1.3 -> reply

in the firewall logging, I see that the ping to 10.11.1.2 is blocked indeed. When I create a rule to allow all traffic from vlan 11 to everywhere, all pings work. When I look under diagnostics -> states, I only see states for .1 and .2, not for .3.

My conclusion: traffic for .1 and .2 (the master) is handled by the firewall, traffic for .3 (the backup) is not.

I'm sure there is a perfectly good explanation, but I really don't see it... is there anyone who can explain it to me?

Derelict

You'll likely get a better answer asking in a new thread in the CARP forum.

bmaster

I thought it was more a firewall question instead of a carp question. Maybe it's a bit of both… I'll post a message there as well!