Generic rule for "everything that must pass the WAN interface"?

  • I'm trying to find a simple way to create a rule for:

    Pass all traffic from "VLAN99" that will be routed across the "WLAN" interface to the great outside world.

    (I don't think setting a destination of "WLAN Address" or "WLAN Net" would work, as those are a bit too specific for "the entire internet")

    In truth, the idea is to prevent any traffic from being routed to other vlan's.  To that end, I know I can create an alias that includes all the "other vlan's" (by listing them each), and then "PASS !(vlan_list_alias)", but that requires that I'm responsible, plan ahead, and actually know every future possible vlan I might create when creating the alias (or be responsible and remember to update the alias when I update interfaces.)  (In other words, it would be a plan destined for failure.)

    I also thought I could create an alias for all the "private networks" (,,,, and just allow all traffic NOT to them, but then I also need a way to pass IPv6 traffic that's not going internal - and that's a bit harder when I don't know what prefix comcast might give me this week.

    I keep coming back to… "There must be a way! I just don't know what it is!"

    So... Is there a way?  If so, what is it?


  • LAYER 8 Netgate

    There is a way. You take responsibility and block traffic to everything local you do not want them to access, then pass to any (aka the internet). There is no "all local subnets" alias you can use to block traffic.

    Aliases can make this a little easier.

  • :(  Oh, well, so much for being lazy…  Thank you for taking the time to reply.

    Is it better to create a "local subnets" alias, block access to it, and then pass to everything else...

    ...or is better to create the same alias, and "allow to everything !(in alias)"?

    (Do those end up doing the exact same thing?  This this vlan, I was hoping to force myself to be explicit in what is allowed and retain the default catchall of "deny")

    In either case, I think there'd have to be 1 "pass" rule before any blocking:  To allow DNS to the local DNS server (pass ipv4+ipv6, tcp/udp port 53) on one of the normally blocked subnets.  (Or is it better to use the pfSense DNS forwarder?)  DHCP relay, RA's and ICMPv6 shouldn't be blocked by the above rules.

    (I'm surprised there isn't a pfsense wiki page for "how to do single vlan isolation." )

  • @garyd9:

    Is it better to create a "local subnets" alias, block access to it, and then pass to everything else…

    ...or is better to create the same alias, and "allow to everything !(in alias)"?

    Nevermind.. the latter isn't possible.  I can't create an alias for "LAN net" or "VLAN1 net."  It appears that network aliases require typing out CIDR formats and can't use the shortcuts available when making firewall rules (such as "LAN net")

    So, I guess I have to specifically DENY access to each "net" and then allow whatever is left over.

    allow DNS,etc
    block any to: (LAN net)
    block any to: (VLAN1 net)
    block any to: (VLAN2 net)
    block any to: (VLAN3 net)
    allow any to any

    I really had wanted to approach this from a "deny everything and be specific in what is allowed" type mentality, but I don't think it's feasible in this case.

    Take care

  • Would this work:

    Create a FLOATING rule to PASS, Interface: WAN, Direction: out, AF: IPv4+IPv6, proto: any, Source: VLAN99 net, Dest: any

    Then, on the interface tab for VLAN99, add some "pass" rules for certain things like DHCP and DNS, and let it block by default.

    If I understand the rules correctly (which I admit is a huge assumption), the floating rule would be seen first and would pass anything originating from VLAN99 and heading out the WAN interface to "the internet."  Then, any other packets coming from VLAN99 would be processed with the rules on the interface tab which would pass DNS/DHCP type traffic and block everything else.

    Is this correct?


  • LAYER 8 Netgate

    You are probably doing NAT so at the point floating rules are process outbound, NAT will have already happened and the source of the traffic will (likely) be WAN address, not VLAN99 net.

  • Attached is a snippet of the rule set I ended up using for this.  "ISOLATE" is the name of the interface.

    Neither DNS nor DHCP are running on pfSense.  In fact, they are running on a different subnet/vlan.  (pfSense is configured as a DHCP relay, however.)

    The first rule allows traffic to the DNS server.

    The second rule explicitly blocks ports 80,443,22 on the pfSense machine

    The third rule opens of the rest of pfSense so DHCP relays, ipv6 RA's, and a secondary (backup) DNS works.

    The fourth/fifth rules are to block any traffic going to one of the other vlans….

    And finally, any other traffic is allowed to flow (which, hopefully, has only left open traffic heading outside of my network.)

    Below that are a couple rules to explicitly block (and not log) things that would normally be blocked by the "default deny all."

    ...  This appears to work, but I'm not a firewall genius.  Is this "okay"?  Is there a better way to do it?

    Thank you

Log in to reply