Allow subnet A to initiate connections to subnet B, but not the other way around
-
This post is deleted! -
Sure. Don't pass connections to LAN on Public VMs interface.
-
Post up your public VMs interface firewall rules on pfsense, and your Lan rules and we can discuss. But as Derelict stated already its simple rule on the publicVM rules to block them from starting conversations with LAN network.. If you allow LAN to talk to publicVMs network on the lan rules or have a ANY rule then they would be able to start conversations with the devices on that network and either upload or download stuff, etc.
-
This post is deleted! -
Your first rule under LAN is unnecessary since the rules below it will pass all traffic to anywhere.
-
Also your blocking access to the firewall will prevent it from using pfsense as dns. Are you public VMs pointing to something else for dns?
On my more restrictive vlans.. I normally allow access to ping the pfsense interface for simple connectivity check. And allow dns to the pfsense interface in that vlan to allow them to use pfsense as dns. Then the block all to this firewall rule.
Your rules are fine if you really don't want those vms to even be able to ping or use pfsense as dns.
-
This post is deleted! -
"I usually just put Google DNS in resolver.conf of all my servers."
Why not point to pfsense, would be running a resolver out of the box. So now you get advantage of dnssec… And your local devices could resolve themselves by name, and you would have a local cache that all your machines could use.
This way device 1 looks up www.domain.tld, when device 2 goes to look it up few minutes/seconds later - don't have to go out to the public to find the info from googledns again. Its local cached on pfsense.
-
This post is deleted!