Firewall rule, block traffic between VLAN'S


  • Hi all,

    I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

    On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

    When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

    I can not block the traffic between the vlans and the lan.

    Thanks

    Sorry for my english :)

  • LAYER 8 Netgate

    @digitalcomposer:

    Hi all,

    I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

    On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

    You can do that but it is unnecessary since there is a default deny rule on all interfaces. That is the same as having no rules at all.

    When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

    I can not block the traffic between the vlans and the lan.

    Thanks

    Sorry for my english :)

    The firewall blocks traffic coming into an interface. When you use diagnostics > ping from the firewall itself it will still succeed since the traffic is not entering the interface with the block rule on it (or the default deny rule and the absence of any pass rules).

    The traffic sourced from hosts actually on that interface will be blocked.


  • Ok, thanks.

    You mean it is better to test the rules with one pc on vlan voice and try to ping another vlan or lan.


  • Yes, testing the firewall rules from the firewall itself may be misleading.

    I've been using pfSense for inter-VLAN routing for quite some time now. The logic is simple, you just need to be careful with the rule order. The rules that PASS traffic from one VLAN/subnet to another go first. Then go the rules for VLAN/subnet isolation: BLOCK ANY protocol from ANY (covers hosts with foreign/invalid IPs) to DESTINATION_net. You need one such rule for each VLAN/subnet you want to isolate (usually on both sides). And finally, if you want to give the subnet internet access, you will have to add the PASS anything anywhere rule. That would go last, AFTER the isolation rules.

    Remember, there is an invisible default BLOCK ALL rule, so you don't need to create one yourself.