INTERVLAN ISSUE BLOCKING SUBNET PFSENSE
-
Dear Masters,
i have some issue on intervlan..
here is my scenario :
and i still cannot block the traffic between vlan.
i tried on cisco router with intervlan setup, and it works with ping reply dest host unreachable
all i need to know is,, is it possible to do the same thing with PFSENSE??
or did i miss some configurations??
Thanks a lot
-
Firewalls cannot block same subnet traffic. That must be done in your switch. Stop using /16 netmasks and put the networks you want to segment from each other on different subnets/firewall interfaces.
-
Firewalls cannot block same subnet traffic. That must be done in your switch. Stop using /16 netmasks and put the networks you want to segment from each other on different subnets/firewall interfaces.
Pardon me sir..
I dont understand clearly what does " that must be done in your switch".
So its not possible to do things like that??Im Sorry for the stupid questions..
-
So the pfsense cannt do the same thing like cisco router?
I would be extremely careful with such a statement, given the fact that you haven't yet build lots of credibility in this forum AND that your initial problem clearly shows your position on the learning curve.
Basically your network design is broken.
PC A: 172.16.2.2 /16
PC B: 172.16.3.3 /16They are both in the same subnet, which is 172.16.0.0 /16
Traffic in that area is not routed by your router, so the router cannot block it. Simple, eh?
Make PC A and PC B both a /24 as your gateways are and you should be good.pfSense can do what Cisco routers can.
-
Also why would you put /24 on pfsense interface if its a /16 network??
Pfsense should not route that traffic if thinks its on /24 - so if client A can talk to client B that points to a misconfig on your switch and not really vlan 2 and vlan 3.. You put the ports in the same layer 2 network..
-
Also why would you put /24 on pfsense interface if its a /16 network??
Pfsense should not route that traffic if thinks its on /24 - so if client A can talk to client B that points to a misconfig on your switch and not really vlan 2 and vlan 3.. You put the ports in the same layer 2 network..
I would be extremely careful with such a statement, given the fact that you haven't yet build lots of credibility in this forum AND that your initial problem clearly shows your position on the learning curve
I'm really sorry sir.. im just asking..
The goal is to prevent some users that using laptop changing their IP & subnet.
For example :
users A on Vlan A while they using /24 subnet the cant connect/access to other Vlans.
But if they change the subnet into /16 so they can discover all network,?? And scan your network?
Is it a security issue?I beg your pardon sir..
About the question, i'm really sorry..
Ive changed it … im just newbieRegards.
-
No.
If your switch, port channel and pfSense are configured correctly then no matter what IP config a user chooses he cannot access the other VLAN.The goal is to prevent some users that using laptop changing their IP & subnet.
You cannot prevent users from doing dirty stuff.
But it shouldn't affect your network in any aspect if they do. They cannot jump from VLAN2 to VLAN3 just by using a different netmask. -
"But if they change the subnet into /16 so they can discover all network,?? And scan your network?"
Then you switch is not setup correctly.. If port A is in vlan X, and port B is in vlan Y - does not matter what mask they put on their box. Sounds like your not setting up your switch correctly or you just trying to run multiple layer 3 over the same layer 2 network and don't have vlans setup on the switch at all. Which yes is a borked setup..
What is your switch, and what are the port configs for your devices?
-
"But if they change the subnet into /16 so they can discover all network,?? And scan your network?"
Then you switch is not setup correctly.. If port A is in vlan X, and port B is in vlan Y - does not matter what mask they put on their box. Sounds like your not setting up your switch correctly or you just trying to run multiple layer 3 over the same layer 2 network and don't have vlans setup on the switch at all. Which yes is a borked setup..
What is your switch, and what are the port configs for your devices?
how about the scenario on 1st picture 1st post..
here..did i have the wrong setup??
wrong setup on client's subnet PC??
what if i don't do it(the subnet setup), but the user himself that do change the subnet?thanks in advance sir..
-
I saw your picture.. Your switch is not setup with port 2 and 3 in different vlans if clients can see each other at layer 2.. Post your configs of those ports.
If the switch is configured with 2 different vlans for those ports then doesn't matter what mask or ip the machines put on - they can not see each other at layer 2.. And the only way for them to talk to each other is to go through the layer 3 routing device
The port connected to pfsense looks like your only using 1 interface, so your tagging that traffic to pfsense and that port wold be in trunk mode that allows vlan 2 and 3..
edit: not going to log into work, and don't even think we have an 2950 anywhere anyway they were end life many many years ago. But here is my sg300 cisco at home which these sorts of commands are all common, and you can see these ports are in different vlans
interface gigabitethernet8
description "Caseta Hub"
switchport mode access
switchport access vlan 200
!
interface gigabitethernet10
description printer
switchport mode access
switchport access vlan 20And there is trunk to pfsense interface
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20You can see it allows different vlans and its native (untagged) is set to 20.. This interface on pfsense runs a native untagged network (vlan 20 on the switch) and then multiple other tagged vlans..
-
I saw your picture.. Your switch is not setup with port 2 and 3 in different vlans if clients can see each other at layer 2.. Post your configs of those ports.
If the switch is configured with 2 different vlans for those ports then doesn't matter what mask or ip the machines put on - they can not see each other at layer 2.. And the only way for them to talk to each other is to go through the layer 3 routing device
The port connected to pfsense looks like your only using 1 interface, so your tagging that traffic to pfsense and that port wold be in trunk mode that allows vlan 2 and 3..
edit: not going to log into work, and don't even think we have an 2950 anywhere anyway they were end life many many years ago. But here is my sg300 cisco at home which these sorts of commands are all common, and you can see these ports are in different vlans
interface gigabitethernet8
description "Caseta Hub"
switchport mode access
switchport access vlan 200
!
interface gigabitethernet10
description printer
switchport mode access
switchport access vlan 20And there is trunk to pfsense interface
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20You can see it allows different vlans and its native (untagged) is set to 20.. This interface on pfsense runs a native untagged network (vlan 20 on the switch) and then multiple other tagged vlans..
here's my switch's vlan config
!
interface FastEthernet0/1
description trunk PFsense
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 3
!my PFsense has 4 ports Plugged
WAN1
WAN2
LAN
OPT1 =>> this is plugged into trunk port on Cisco 2950
all vlan on PFsense parent to this interfacethank you very much sir..
-
Well then you have a loop that is connecting vlan 2 and 3 somewhere else at layer 2. Or your switch is bad.. Devices isolated at layer 2 can not see each other, no matter what IPs they put on themselves..
or you have pfsense with a bridge or something? If your device can see each other by just changing the mask on their IP, then they connect on the same layer 2 network..
BTW your rules stating source vlan 2 dest vlan 2 are completely pointless on pfsense.. As going to state again a gateway, ie pfsense has zero to do with traffic on the same layer 2 network.. You would only talk to pfsense to get off that network via layer 3. Rules having same source as dest are pointless..
Post up a screenshot of your rules.. on this layer 2 and layer 3 network. And you didn't bridge anything at psense? I would disconnect pfsense and then see if devices can talk to each other - this proves to you its not pfsense.
-
Well then you have a loop that is connecting vlan 2 and 3 somewhere else at layer 2. Or your switch is bad.. Devices isolated at layer 2 can not see each other, no matter what IPs they put on themselves..
or you have pfsense with a bridge or something? If your device can see each other by just changing the mask on their IP, then they connect on the same layer 2 network..
BTW your rules stating source vlan 2 dest vlan 2 are completely pointless on pfsense.. As going to state again a gateway, ie pfsense has zero to do with traffic on the same layer 2 network.. You would only talk to pfsense to get off that network via layer 3. Rules having same source as dest are pointless..
Post up a screenshot of your rules.. on this layer 2 and layer 3 network. And you didn't bridge anything at psense? I would disconnect pfsense and then see if devices can talk to each other - this proves to you its not pfsense.
Cmiiw,
isn't it the pfsense that allow connection between vlan 2 & vlan 3?
Because vlan IPs on pfsense used as gateway on PCs, so they can communicate via each gateway?I will try to use another switch to implement from the bigining again..
Maybe as you said, its switch's fault..Thank you so much sir..
Really apreciate.. -
Yes pfsense is what allow traffic between vlan 2 and 3.. Via routing and firewall rules at layer 3. If your saying client can just change their IP to a /16 and see the other vlan that has Zero to do with pfsense..
Again you can really easy prove this to yourself by just pulling the plug on pfsense connection to your switch.. Can devices see each other?
Why not just sniff on a client.. does it see broadcast traffic, arp, etc.. from the other vlan?
