Allow access between vlans



  • Hi,

    I'm trying to allow access from an adminvlan to my other vlans.
    I have made a rule that allow any access from i.e vlan80 to vlan30, see screenshot.

    But I am not able to access anything on vlan30.
    What else do I need?



  • Rules are applied to traffic that enters an interface.  You have 7 VLANs.  If you want everyone to have access to VLAN30 then you need to put your rule on all the other VLAN interfaces to allow it.  The rules you have on VLAN30 only apply to traffic coming from the VLAN30 network outbound.  So, if you want ADMINVLAN to have access to VLAN30 then you need to add an allow rule on ADMINVLAN, not VLAN30, that allows access from ADMINVLAN to VLAN30.



  • Thanks! I was thinking the oposite way.
    Now it works :)



  • One more thing:

    If I want only one macadress (xx:xx:xx:xx:xx:xx) on VLAN20 to enter one port (14444) on a spesific IP (192.168.30.250) on VLAN30.
    How should the roule be if it is possible?



  • pfSense operates at layer 3, so you can't use it to control based on MAC, only by IP address.  You can create a static mapping in DHCP so that this MAC always receives the same IP.



  • Yes, thats a good solution.

    But how is the roule going to be? I can't find a place to specify IP adress in the roules. Only ports


  • Rebel Alliance Global Moderator

    so you only want this 1 IP to access 1 port? And all other devices on that vlan to be blocked.  And all your other vlans blocked as well..  Keep in mind that if you have say a any any rule on another vlan.. that vlan could come in the back door if you will and access that port.

    Need to see your current rules to walk you through how best to do it for your setup.



  • I can't find a place to specify IP adress in the roules.

    The Source is what you are looking for.



  • Yes, only one IP on VLAN20 to access one port on an server on VLAN30. Everthing else to be blocked between vlans

    My roules on VLAN20 and VLAN30:






  • Is this roule correct?

    My server on vlan30, 192.168.30.250 has of course static IP

    johnpoz; do I need to set up an block roule on all vlans to close "the backdoor"?



  • Rebel Alliance Global Moderator

    Not unless source port is also 14444, which is really really really RARE..  And your first rule blocks access to firewall on all ports all IPs.  So the rest of the rules are not looked at..  Is 192.168.30.250 the IP address of pfsense interface or some box on vlan 30?

    If the box ok.. but your blocking all access to pfsense as the first rule.. Are you not using pfsense for dns?  Also do you want van 30 to be able to talk to any of your other vlans?  If so you have it goign out a specific gateway.. So unless that gateway can get to your other networks vlan30 would never be able to talk to any of your other vlans.

    Also your rule below that allows any any so anyone could go to that IP on that port..  you would need to put a block rule under the allow rule to block everyone else from getting there.

    And all your other vlans - what are their rules?  They would be able to access it, etc.

    Rules are evaluated top down, first rule to trigger wins - no other rules are looked at..

    So I am on vlan20 and want to talk to vlan30 IP on this port..

    So am I talking to the firewall, no - rule skipped
    Am I talking to IP 30.250 on port 14444, and is my IP the source - ok - allowed.

    But your problem is your next rule allows access to any any.. so if my IP is something else on vlan20

    rule 1 - skipped
    rule 2 - skipped
    rule 3 - oh any any yeah you can go to 30.250 on port 14444..



  • No, source port is not 14444, my mistake..

    My plan with the block rule was to deny access to pfSense webGUI. Clearly I misunderstood this rule. I'm pretty new to pfSense, so my way of thinking isn't always what my rules do  :)

    192.168.30.250 is my server on vlan30. I want access to port 14444 on this server from vlan20.

    The roules on the other vlans are the same as vlan20. I'm not done with them yet.

    So to sum it up, I want to:

    • Deny pfSense interface access on vlan20
    • Allow access from one IP on vlan20 to port 14444 on server on vlan30
    • Block access from all other vlans to my server

  • Rebel Alliance Global Moderator

    So you don't want any of your other vlans to talk to any of your other vlans at all?
    You want your one client on vlan 20 to talk to this 1 server on 14444 tcp

    You don't want other vlans to talk to pfsense for anything other than??  Do you use pfsense for dns?  this can be done in a couple of rules.. Validate if you need to talk to pfsense for dns, and I can post up screenshots of how you could do it.



  • That's correct, only that one access.

    The other vlans only need access to internet, no access between them and no access to pfSense webGUI.

    I have not thought about DNS…. what are thinking about?


  • Rebel Alliance Global Moderator

    do you point your clients to internet for dns, or are they going to ask pfsense who then resolves or you could setup to forward?

    I assume all your vlans are using rfc1918 space?  If so then create an alias, put in the rfc1918 networks 10/8, 192.168/16, 172.16/12

    Then you can use an ! (not) for the destination.

    You can take out the dns and ping if you don't want to allow that.  But I normally allow ping to validate they can talk to pfsense (their gateway) and and allow them to ask pfsense for dns so they can resolve other local machines IP, even if they can not get to the other vlans they can resolve via dns stuff on their vlan, etc.

    So you see I allow ping 1st rule
    2nd rule allows dns to pfsense IP address on that vlan
    3rd rule blocks access to any other pfsense IP on any port, wan, other vlans, etc..
    4 rule allows vlan clients to go anywhere they want on any port (internet) as long as its not a rfc1918 address ie your other vlans.  That is the ! (not ) means in the rule.. So rule reads as long as your NOT going to a local rfc1918 address sure your allowed.

    On the vlan 20 that you want to allow to your vlan30 IP and port.. Just add the 1 rule that allows that above the rfc1918 rule.  You will want to change your different vlans to use their vlan as source and pfsense interface in that vlan for dest for dns, etc.

    If you don't want to allow ping or dns - then pull those rules out.








  • I point them to internet, I've not thought about using pfSense for dns.
    Do you recommend it?

    Will this roule work ok? It allow that one TCP port access, the next one deny the other devices on vlan20 to access that TCP port.
    Hmm, but in the end I allow them to access it after all…



  • Rebel Alliance Global Moderator

    that rules sya as long as your not going to that IP and that port your allowed..

    I edited my previous post with examples.. see it.

    I set my block to firewall rule to log… So you can see if anything is trying to access pfsense, say for ntp, or UPnP, etc.  So you could allow those if you want, etc.. If you don't want then you could create rules that blocks those but does not log.. So anything new you could still see in your logs if trying to access pfsense on some other port, etc.



  • Thanks a lot johnpoz!!

    Now I understand the way of firewallrules thinking… I didn't have the basic understanding to begin with, but the good help here helped me alot! Great forum!

    My next project with pfSense is vpn, so maybe I'll be back with some questions then :)


  • Rebel Alliance Global Moderator

    We are here to help.. Ask your questions..  Or just search for them - most of them are already been answered a thousand times.. Or read the docs..  Or better yet buy the book - pretty sure you can get the book for like $25 right now.