Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Having trouble with semi complex firewall rules

    Firewalling
    2
    3
    467
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobfatherx
      last edited by

      I'm hoping someone can help me figure out the correct rule to get this sorted:

      My network is composed of the default subnet and VLAN 10, which has my Blue Iris video surveillance server on it, as well as all the IP video cams.

      Default subnet can talk to VLAN 10, but VLAN 10 cannot see any machine on default subnet. This is intentional.

      I would like to allow any device on VLAN 10 to communicate using NTP to automatically set time, and I would like 1 host on VLAN 10 to have unrestricted outbound access to the WAN. Otherwise, I want all traffic from VLAN 10 to the WAN blocked (except for NTP and the single host, of course).

      I can easily block traffic from VLAN 10 to the WAN, but I can't figure out how to then allow NTP traffic through, and to allow the single host through. What am I doing wrong?

      Edit: for context, the single host is the computer running Blue Iris. It is exposed to the internet for part of the day on a schedule, so remote viewing can take place. I want that server on its own VLAN in case it gets owned, so it can't talk to pfSense or any other computers. I then want to block all access but NTP for the IP cams, since they may try to phone home to China. Or block WAN access in case they get owned and roped into a botnet.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Firewall rules are applied on the interface that the traffic initially enters.  You need to add a pass rule above your block rule on the VLAN10 tab under Firewall Rules that allows NTP for the specified host.

        1 Reply Last reply Reply Quote 0
        • B
          bobfatherx
          last edited by

          @KOM:

          Firewall rules are applied on the interface that the traffic initially enters.  You need to add a pass rule above your block rule on the VLAN10 tab under Firewall Rules that allows NTP for the specified host.

          Thanks, I got it figured out. I <think>part of the problem was that I was assuming the firewall rules were being reloaded quicker than they actually were, so in my testing I wasn't being patient enough for the proper changes to propagate.

          I went through rule by rule and used logic, as you suggested I did, and it all works fine. Thank you!</think>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.