• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Default VLAN behaviour

Scheduled Pinned Locked Moved L2/Switching/VLANs
6 Posts 4 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rbrouwer
    last edited by Sep 6, 2018, 6:59 AM

    I'm a little confused with this one point.

    If I create a new VLAN interface in pfsense, as I understand it, all traffic is blocked on that interface unless I create firewall rules.

    So I would assume that if a node on that VLAN interface tried to connect to the LAN (or indeed any other subnet) that traffic should be blocked by default ?

    Or do I need an explicit block firewall rule to the LAN from that VLAN as because it's all on the one physical switch, so regardless of being on seperate subnets, nodes can communicate with each other without going thru the pfsense firewall. If this is the case, I would then assume that networks on different seperate physical switches that all individually connect to the pfsense firewall on seperate NICS would be isolated by default as the traffic needs to pass thru the firewall (and is blocked by default)

    Appreciate any thoughts on this.

    1 Reply Last reply Reply Quote 0
    • J
      JeGr LAYER 8 Moderator
      last edited by Sep 6, 2018, 1:08 PM

      If I create a new VLAN interface in pfsense, as I understand it, all traffic is blocked on that interface unless I create firewall rules.

      Indeed, you are correct. Every new interface besides LAN has no default rules and therefore the "deny all" policy is enforced.

      So I would assume that if a node on that VLAN interface tried to connect to the LAN (or indeed any other subnet) that traffic should be blocked by default ?

      If your VLAN configuration is correct on the L2 / Switch Level, than that is correct, too.

      so regardless of being on seperate subnets, nodes can communicate with each other without going thru the pfsense firewall.

      No node/host can communicate with each other "regardless" in two seperate VLANs. As mentioned above: if your L2 config on switching level is correct (e.g. you have one node configured in VLAN10 and another in VLAN20 and pfSense configured accordingly) without rules on the newly created VLAN (e.g. VLAN20) interface, no node on that IF can talk to anything as "block log all" is the default policy. Besides that, if you don't restrict the original LAN rules (pass any defaults), the LAN/other VLAN can talk to those nodes on the new VLAN so you'd have to enforce rules to block that.

      Greets

      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 1
      • R
        rbrouwer
        last edited by Sep 6, 2018, 11:12 PM

        Thanks for your very helpful reply.

        I guess the crux of my question is why do people need explicit rules on each VLAN interface to block traffic to other subnets (usually the LAN) if this is what happens by default ?

        H 1 Reply Last reply Sep 7, 2018, 10:43 AM Reply Quote 0
        • H
          heper @rbrouwer
          last edited by Sep 7, 2018, 10:43 AM

          @rbrouwer

          because you generally set an "allow all" rule at the bottom & put block rules above them.

          1 Reply Last reply Reply Quote 0
          • J
            JeGr LAYER 8 Moderator
            last edited by Sep 7, 2018, 12:55 PM

            @rbrouwer said in Default VLAN behaviour:

            VLAN interface to block traffic to other subnets (usually the LAN) if this is what happens by default ?

            Because of what I wrote above:

            1. Default if NO rules are defined on an interface tab: block log any
            2. If you want to allow traffic to the internet from said interface tab, you have to allow traffic to any IP that is no private IP or otherwise used by your other interfaces

            So the normal way with multiple VLANs that you don't want to have any interaction with (say VLAN100 and VLAN200) is to make a block rule with e.g. all RFC1918 networks first, then add an any to any allow rule below. That would efficiently block any access to other private networks in both VLANs but allow unrestricted web usage.

            Hope that makes sense without any screenshots supplied ;)

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Sep 8, 2018, 8:24 PM

              To the firewall, an untagged interface and a VLAN interface are the same thing. The both need firewall rules to block or pass traffic into that interface (physical/untagged or virtual/tagged).

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received