Block inter vlan, allow internet and allow traffic within vlan
-
I want to achieve 3 things.
1. allow traffic between devices within the vlan
2. block inter vlan traffic.
3. allow vlan out to the internet.The rules I created in this order.
1. Allow all traffic from opt1 to opt1.
2. Created an alias then add a blocks rule rfc range for 192/16 172/12 10/8.
3. Allow all traffic from local vlan to *These rules are working but the problem is that I have to create this in every vlan and that isn't a good way of managing it. Anyone got better suggestions? I tried grouping all the vlans into 1 interface group. rule 2 and 3 works, but rule 1 only applies to a specific vlan so I can't do it.
-
You need to do some research on the OSI model. VLANs are layer 2. Routing is layer 3.
Your switching layer determines what traffic is exchanged between members of a VLAN. Your router has nothing to do with it. Your routing layer determines what traffic is passed between VLANs.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
Configuring firewall rules might initially be some work. Sorry. There might also be some work when adds, moves, or changes happen. Again, sorry. Administering a network is work. If you have specific, repeating rules across many interfaces (VLANs) you have interface groups, aliases, and floating rules at your disposal. If you present a specific problem, there might be a way to ease some of the management burden.
-
Sorry I think maybe I'm being unclear or maybe I misunderstand you.
I've followed the guide https://forum.pfsense.org/index.php?topic=66784.0
But I've changed it a bit as I want to allow traffic within the vlan.Say I have vlan 10 and vlan 20.
vlan 10 10.20.13/24
vlan 20 10.20.112/24They both need to get out to the internet and see the devices within the vlan. But block traffic between vlan 10 and vlan 20.
I created 3 firewall rules and an alias for the rfc1918 network on the vlan10 interface.
Rule 1, allow vlan 10 (interface) to vlan 10 (interface)
Rule 2, block * to rfc1918 network
Rule 3, allow * to * (for internet access)The problem is as you said, these are repeating rules and I can't do that for over 15 vlans. I can't think of a way to get around this because of rule 1. It specify vlan 10 to vlan 10. Then when I set the rules for the next vlan20 interface, I need to allow traffic to itself first before I set a block. I hope this makes sense?
-
I can't do that for over 15 vlans.
Why? Because it's work?
Rule 1, allow vlan 10 (interface) to vlan 10 (interface)
This rule does nothing.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Not because that it is work. But I think I'm just doing it in a dumb way. There's probably a better way of doing it and that I just don't know how. Most importantly, if I ever want to change settings. That means I need to go through all those vlans and I'm bound to forget one. That's why I thought maybe using interface group / aliases, there's a way of doing it smartly.
I'm pretty sure my rule 1 work… because I tested it via disabling/enabling it.
Maybe I'm doing something else wrong? I set to allow icmp from vlan10 to vlan10. Then from my machine 10.20.13.12 , I ping the vlan ip which is 10.20.13.1 and it works only when the rule is enabled.The guide here https://calvin.me/block-traffic-vlan-pfsense/ on the section "Private No-Internet VLAN". Also talks about adding a rule for the network to be able to communicate with itself.
I recall that you said I should use private vlan edge (protected ports) to isolate the vlans. I haven't had the time to look into it yet as I can't connect to my switch at the moment.
edit:
"A prime example of this is trying to keep one system on the LAN from accessing another system on the same LAN. This isn't possible if both clients are on the same subnet and switch."This bit that you link from the documentation. They are not on the same subnet. The range I gave vlan 10 is 10.20.13/24 and the other is 10.20.112/24. I hope I'm right....
-
Not because that it is work. But I think I'm just doing it in a dumb way. There's probably a better way of doing it and that I just don't know how. Most importantly, if I ever want to change settings. That means I need to go through all those vlans and I'm bound to forget one. That's why I thought maybe using interface group / aliases, there's a way of doing it smartly.
Where the rules are identical, you can use an interface group or a floating rule. I have found that while the rules are similar, usually different interfaces require different things.
I use a floating rule for DNS access for several captive portal VLANs. It's a pain to have all the rules different so I tell all the DHCP instances to give the same two DNS servers to clients on all VLANs.
Then I have a floating rule on all the interfaces inbound that passes traffic for TCP/UDP 53 to an alias with these two DNS servers defined. When I add an interface all I have to do is edit the floating rule and cmd-click the new interface and save. Change DNS servers or add one, all I have to do is update the alias.
When I update this system to 2.2 I will make the same sort of floating, quick rules to block access to the webconfigurator on This firewall (self).
But even with that, all the interfaces have their own rules for passing traffic from its own network to the world, etc.
Note that if you have a ruleset you like, all you have to do is start at the bottom, hit the add button on the rule
, change the interface to the new interface and the source network to the source network of the new interface and save.Also if you want to block access to a bunch of other VLANs, make an alias containing all the networks and block access to the alias. It doesn't matter if the alias includes the source network. It won't ever match anyway.
I'm pretty sure my rule 1 work… because I tested it via disabling/enabling it.
Maybe I'm doing something else wrong? I set to allow icmp from vlan10 to vlan10. Then from my machine 10.20.13.12 , I ping the vlan ip which is 10.20.13.1 and it works only when the rule is enabled.Big difference between accessing the pfSense interface and other hosts on the same subnet. Traffic to the interface itself is subject to the rules on that interface. Traffic to other hosts on the subnet is not. You would see exactly the same behavior if you replaced:
pass any source VLAN10 Net dest VLAN10 Address any
The guide here https://calvin.me/block-traffic-vlan-pfsense/ on the section "Private No-Internet VLAN". Also talks about adding a rule for the network to be able to communicate with itself.
I recall that you said I should use private vlan edge (protected ports) to isolate the vlans. I haven't had the time to look into it yet as I can't connect to my switch at the moment.
edit:
"A prime example of this is trying to keep one system on the LAN from accessing another system on the same LAN. This isn't possible if both clients are on the same subnet and switch."pvlan edge is used to prevent hosts on the SAME VLAN from being able to communicate directly, while allowing everyone to access resources such as the gateway, DNS servers, etc.
This bit that you link from the documentation. They are not on the same subnet. The range I gave vlan 10 is 10.20.13/24 and the other is 10.20.112/24. I hope I'm right….
-
Also if you want to block access to a bunch of other VLANs, make an alias containing all the networks and block access to the alias. It doesn't matter if the alias includes the source network. It won't ever match anyway.
Big difference between accessing the pfSense interface and other hosts on the same subnet. Traffic to the interface itself is subject to the rules on that interface. Traffic to other hosts on the subnet is not. You would see exactly the same behavior if you replaced:
pass any source VLAN10 Net dest VLAN10 Address any
Correct me if I'm wrong, are you saying that hosts on the same vlan and switch is layer 2. The traffic won't ever get to pfsense thus the firewall rules doesn't apply. Whereas inter vlan is layer 3 and say a host from a vlan access a different vlan. It goes through pfsense as it is layer 3 so the firewall rules applies here?
-
Correct me if I'm wrong, are you saying that hosts on the same vlan and switch is layer 2. The traffic won't ever get to pfsense thus the firewall rules doesn't apply. Whereas inter vlan is layer 3 and say a host from a vlan access a different vlan. It goes through pfsense as it is layer 3 so the firewall rules applies here?
Provided pfSense has interfaces on the VLANs in question and the hosts on the VLANs are set to use the pfSense interfaces as their default gateways, yes. Exactly.
-
Say I have vlan 10 and vlan 20.
vlan 10 10.20.13/24
vlan 20 10.20.112/24Those are the same network - those would not be different vlans.
-
vlan 10 10.20.13/24
vlan 20 10.20.112/24I initially made the same mistake when I first looked at those but it's good.
vlan 10 - 10.20.13.0/24
vlan 20 - 10.20.112.0/24 -
Your right - my bad.. the octet is 13 and 112, not the 20 ;) Thanks for pointing that out.
I use the same shorthand some times and leave off the last octet, but was thinking that 13 and 112 as host (last octet) so move over 1 to see /24 and those were the same. I am going to stop using that shorthand - it can be easy to miss without seeing all 4 octets, going to use .x if host the proper .0 if talking about the wire of /24
-
Sorry it's me being unclear. I was just lazy and missed out the last octet.
but good news is I tested my setup and it is now all working.
I had a bit of issue with running pfsense lab in virtualbox testing out NATing. Turns out it was the gateway not being set within virtualbox. But apart from that all is good!
