Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help understanding filtering vlan traffic, and best practices

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 3 Posters 803 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mich04
      last edited by

      Hello,
      I was reintroducing pfblocker into my network and noticed that with vlans it blocks all traffic regardless of which virtual interface I select. I use NAT:PORTFORWAD to redirect each vlans traffic to the virtual interfaces ip address to force users to use pfsense's local dns resolver. My firewall rules are set up in such a way that traffic from each interface should not leak into the other. An example would be if I tried to ssh from vlan 1 to vlan 2, vlan2 would block traffic out. Is anyone else filtering dns vlan traffic and what is the best practice? I have a network switch that connects to the single Ethernet port on the pfsense box.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        A VLAN interface is just like any other interface as far as pfSense and the packages are concerned.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mich04
          last edited by

          When I enable pfblocker the listening interface is set to vlan1 and the outbound interface is set to vlan2. Traffic on vlan2 is being blocked by pfblocker. I do not have any floating rules. I am trying to figure out why vlan2 traffic is being filtered.

          BBcan177B 1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator @mich04
            last edited by

            @mich04 said in Help understanding filtering vlan traffic, and best practices:

            When I enable pfblocker the listening interface is set to vlan1 and the outbound interface is set to vlan2

            I think you may be mixing up IP and DNSBL.

            IP works on Firewall Rules, and DNSBL works on DNS.

            You can configure the IP rules to specific interfaces, but for DNSBL you have to use a different DNS Server for vlans that you don't want filtered via DNSBL.

            Alternatively, you can use the Unbound Views option, but that will require some manual intervention:
            https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • M
              mich04
              last edited by mich04

              Got yea so even if you change the listening interface under the tab dnsbl from Lan to one of the Vlans it doesn't matter because as long pfsense is resolving all DNS queries they will be filtered. Thanks for the info.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.