Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall rule, block traffic between VLAN'S

    Firewalling
    3
    4
    3160
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digitalcomposer last edited by

      Hi all,

      I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

      On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

      When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

      I can not block the traffic between the vlans and the lan.

      Thanks

      Sorry for my english :)

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        @digitalcomposer:

        Hi all,

        I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

        On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

        You can do that but it is unnecessary since there is a default deny rule on all interfaces. That is the same as having no rules at all.

        When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

        I can not block the traffic between the vlans and the lan.

        Thanks

        Sorry for my english :)

        The firewall blocks traffic coming into an interface. When you use diagnostics > ping from the firewall itself it will still succeed since the traffic is not entering the interface with the block rule on it (or the default deny rule and the absence of any pass rules).

        The traffic sourced from hosts actually on that interface will be blocked.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          digitalcomposer last edited by

          Ok, thanks.

          You mean it is better to test the rules with one pc on vlan voice and try to ping another vlan or lan.

          1 Reply Last reply Reply Quote 0
          • F
            fakircz last edited by

            Yes, testing the firewall rules from the firewall itself may be misleading.

            I've been using pfSense for inter-VLAN routing for quite some time now. The logic is simple, you just need to be careful with the rule order. The rules that PASS traffic from one VLAN/subnet to another go first. Then go the rules for VLAN/subnet isolation: BLOCK ANY protocol from ANY (covers hosts with foreign/invalid IPs) to DESTINATION_net. You need one such rule for each VLAN/subnet you want to isolate (usually on both sides). And finally, if you want to give the subnet internet access, you will have to add the PASS anything anywhere rule. That would go last, AFTER the isolation rules.

            Remember, there is an invisible default BLOCK ALL rule, so you don't need to create one yourself.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post