Default VLAN behaviour

rbrouwer · Sep 6, 2018, 6:59 AM

I'm a little confused with this one point.

If I create a new VLAN interface in pfsense, as I understand it, all traffic is blocked on that interface unless I create firewall rules.

So I would assume that if a node on that VLAN interface tried to connect to the LAN (or indeed any other subnet) that traffic should be blocked by default ?

Or do I need an explicit block firewall rule to the LAN from that VLAN as because it's all on the one physical switch, so regardless of being on seperate subnets, nodes can communicate with each other without going thru the pfsense firewall. If this is the case, I would then assume that networks on different seperate physical switches that all individually connect to the pfsense firewall on seperate NICS would be isolated by default as the traffic needs to pass thru the firewall (and is blocked by default)

Appreciate any thoughts on this.

JeGr · Sep 6, 2018, 1:08 PM

If I create a new VLAN interface in pfsense, as I understand it, all traffic is blocked on that interface unless I create firewall rules.

Indeed, you are correct. Every new interface besides LAN has no default rules and therefore the "deny all" policy is enforced.

So I would assume that if a node on that VLAN interface tried to connect to the LAN (or indeed any other subnet) that traffic should be blocked by default ?

If your VLAN configuration is correct on the L2 / Switch Level, than that is correct, too.

so regardless of being on seperate subnets, nodes can communicate with each other without going thru the pfsense firewall.

No node/host can communicate with each other "regardless" in two seperate VLANs. As mentioned above: if your L2 config on switching level is correct (e.g. you have one node configured in VLAN10 and another in VLAN20 and pfSense configured accordingly) without rules on the newly created VLAN (e.g. VLAN20) interface, no node on that IF can talk to anything as "block log all" is the default policy. Besides that, if you don't restrict the original LAN rules (pass any defaults), the LAN/other VLAN can talk to those nodes on the new VLAN so you'd have to enforce rules to block that.

Greets

rbrouwer · Sep 6, 2018, 11:12 PM

Thanks for your very helpful reply.

I guess the crux of my question is why do people need explicit rules on each VLAN interface to block traffic to other subnets (usually the LAN) if this is what happens by default ?

heper · Sep 7, 2018, 10:43 AM

@rbrouwer

because you generally set an "allow all" rule at the bottom & put block rules above them.

JeGr · Sep 7, 2018, 12:55 PM

@rbrouwer said in Default VLAN behaviour:

VLAN interface to block traffic to other subnets (usually the LAN) if this is what happens by default ?

Because of what I wrote above:

Default if NO rules are defined on an interface tab: block log any
If you want to allow traffic to the internet from said interface tab, you have to allow traffic to any IP that is no private IP or otherwise used by your other interfaces

So the normal way with multiple VLANs that you don't want to have any interaction with (say VLAN100 and VLAN200) is to make a block rule with e.g. all RFC1918 networks first, then add an any to any allow rule below. That would efficiently block any access to other private networks in both VLANs but allow unrestricted web usage.

Hope that makes sense without any screenshots supplied ;)

Derelict · Sep 8, 2018, 8:24 PM

To the firewall, an untagged interface and a VLAN interface are the same thing. The both need firewall rules to block or pass traffic into that interface (physical/untagged or virtual/tagged).