VLAN Firewall Rule

  • I set up 2 ports on a netgear switch for VLAN

    VLAN 10 =
    VLAN 20 =

    I can ping from devices between 10 and 20 and I want them segregated.  Attached is my VLAN 10 firewall rule which allows all traffic.  VLAN20 is the same.  What do I need to do and I'm very new at this kind of thing.  Had pfSense for 3 days now.

    I know I need to be more restrictive but not sure how.

    ![Screen Shot 2016-07-11 at 6.26.47 AM.png](/public/imported_attachments/1/Screen Shot 2016-07-11 at 6.26.47 AM.png)
    ![Screen Shot 2016-07-11 at 6.26.47 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-11 at 6.26.47 AM.png_thumb)

  • LAYER 8 Global Moderator

    If you do not what vlan 10 to talk to vlan 20, then put in a rule that source source vlan 10 network to dest vlan 20 network block on your vlan 10 interface.  pUt the rule at the top.  ON vlan 20 interface do the opposite.

  • Thanks I'll try that after work again.

    Just to be clear I need select VLAN10 net in the drop down or do I need to specify the range:

    Source = to Destination and then the opposite for the other VLAN?

    I tried VLAN10 net to VLAN20 net earlier (and 20 to 10 on the other VLAN) and it still seemed to pass traffic.  I figure I did the rule wrong.  Again I'm brand new and shiny at this.

  • LAYER 8 Global Moderator

    on your vlan interface, the source would be whatever that network is.. Whatever you called that vlan. If you called it vlan 10 then it would be that as your source.  Your dest would be the other vlans network.

    If you want to call out the specific source network with a cidr sure you could do that.  But kind of pointless when pfsense already knows what that range is.

    Keep in mind rules are top down, first rule to trigger wins so if you had a any any rule and your block below that then no it would never work.  Also keep in mind if you created a connection.  And then created the rule that the state was prob still there and would allow the traffic.  Once you create a block rule you would have to make sure you flush any states that might be active that would circumvent that rule.

    Since you only have the 2 networks (vlans) I would just use the vlan net for source and dest.  You can use cidr if you want to get more specific with your rule and say only allow or block a specific subnet of addresses in your vlan.  Or you can use cidr or alias in your dest to block more access.  So for example here is my dtv vlan rules - see attached.

    So I allow that vlan to ping pfsense IP address in that vlan.  I then actual reject any other access to any other pfsense IP be it on another vlan, be its wan IP.  I have an allow that says hey you going to anything other then rfc1918 sure your allowed.  That is a ! (not) rule with alias containing the rfc1918 space.  Ie 192.168/16, 10/8 and 172.16/12 - so that rules says hey you NOT going to rfc1918 your allowed.  So this allows access to internet, but any other of my network segment be they other vlans or native untagged networks would not trigger that rule and then would fall to the default block rule.

  • Thanks again.  Here's my first shot at this and I think it worked however I tested by hooking to my VPN, making the config firewall changes and then doing a VNC into one of my network computers on the VLAN 20 interface and tried to connect to another computer on the LAN with no success.  However I am at work and sometimes the lag time can make things fail through the VPN so we'll see later when I get home.

    My vitals are:

    pfSense (which I used in the first rule for destination (gateway))

    My firewall config is below (VLAN 10 is the same, just with VLAN10)

    Feel free to laugh or make fun of me or post this is what not to do  :)

    I've been a Linux guy for a lot of years just never messed around networks much, always took the easy way out…...one wifi router.  Now that I see that I can segment I've already got some plans for moving things around.

    ![Screen Shot 2016-07-11 at 2.19.36 PM.png](/public/imported_attachments/1/Screen Shot 2016-07-11 at 2.19.36 PM.png)
    ![Screen Shot 2016-07-11 at 2.19.36 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-11 at 2.19.36 PM.png_thumb)

  • LAYER 8 Global Moderator

    Well that looks ok..  As long as you want vlan20 to only talk tcp to - how is it going to do dns?  Since you do not allow udp to anything?  Not even your last rule that allows it to talk to anything on tcp.  So udp would be broken from this vlan to anything else.

    You could not even ping

    Maybe its using something on vlan20 for dns?

    If your rfc1918 alias is setup for 10/8, 192.168/16 and 172.16/12 your ok with it not talking to any of your other rfc1918 networks..  But for example it could talk to your pfsense WAN IP via tcp.

  • I am learning but unfortunately the hard way.  :)

    My RFC1918 is set up that way.

    So what do I need to do to fix the VLAN20 interface?  VLAN20 to any with port any?

    I appreciate the help.  Thanks a bunch.

  • OK I found a config somewhere on line that seems to be working.  Only thing now I want to do unless someone sees a gaping hole is to limit access to the pfsense GUI which I think I have a handle on. I did it a little too well a few minutes ago and darn near locked myself out.

    Here's what I have.  It seems to be internet only.  I can't ping the pfsense box or any other computer on my network and both the 10 and 20 VLANS are segregated which is exactly what I was shooting for.  Guest network with internet only.

    ![Screen Shot 2016-07-11 at 5.29.07 PM.png](/public/imported_attachments/1/Screen Shot 2016-07-11 at 5.29.07 PM.png)
    ![Screen Shot 2016-07-11 at 5.29.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-11 at 5.29.07 PM.png_thumb)

  • LAYER 8 Global Moderator

    you should be able to ping pfsense vlan20 address.  You allow ipv4 any any which would include icmp.. So if your not pinging something is wrong.

    You really can combine your block and allow rule and just make it allow ! rfc1918.

  • @johnpoz:

    you should be able to ping pfsense vlan20 address.  You allow ipv4 any any which would include icmp.. So if your not pinging something is wrong.

    You really can combine your block and allow rule and just make it allow ! rfc1918.

    So if I add your ICMP example (at the top?) and combine the last two rules I'm better off?

    I sure do appreciate you taking the time to help.  Not only do I want the rules but want to understand what's going on as well and you're helping with that.

Log in to reply