Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I make VLAN interfaces not to listen to SSH and HTTPS

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 240 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ChrisT
      last edited by

      Hi all, maybe my question is stupid, but I'll make it because I feel stuck. I have a pfsense with several internal VLANs. Each of these VLANs has of course a VLAN interface. One of these VLANs is the IT VLAN, which has access to everywhere (in the fw rules I have an allow IT VLAN to any for this VLAN).

      From my computer which belongs to IT VLAN, if I try to access the IP address of all of the VLAN interfaces, I see that I can access all of them. But I only want to be able to access my fw from a specific VLAN interface (VLAN 100 - with IP address 10.55.100.1). Do I do this by setting deny rules for these VLAN interfaces, or is there any option to make VLAN interfaces stop listening to HTTPS and SSH?

      Thank in advance!

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        Disable webConfigurator anti-lockout rule
        set deny rules for VLAN interfaces to the firewall ip with destination port https / ssh
        be careful not to shut yourself out completely

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          While you can't yet change which interfaces the GUI and SSH listens on, you could setup some floating rules to make this easier, something like

          • Pass quick TCP from <your management subnets> to This firewall (self) ports <alias with 443, 22, etc>
          • Reject quick TCP from any to This firewall (self) ports <alias with 443, 22, etc>

          The "This firewall (self)" target expands internally in pf to any address on the firewall.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.