Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rule, block traffic between VLAN'S

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digitalcomposer
      last edited by

      Hi all,

      I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

      On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

      When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

      I can not block the traffic between the vlans and the lan.

      Thanks

      Sorry for my english :)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @digitalcomposer:

        Hi all,

        I have WAN,LAN and 2 VLAN'S: VOICE and GUEST

        On VLAN VOICE i have only one rule: BLOCK  Source * Port * Destination * Port * Gateway *

        You can do that but it is unnecessary since there is a default deny rule on all interfaces. That is the same as having no rules at all.

        When i use diagnostic ping source vlan voice , i still can ping the other interfaces and vlan's.

        I can not block the traffic between the vlans and the lan.

        Thanks

        Sorry for my english :)

        The firewall blocks traffic coming into an interface. When you use diagnostics > ping from the firewall itself it will still succeed since the traffic is not entering the interface with the block rule on it (or the default deny rule and the absence of any pass rules).

        The traffic sourced from hosts actually on that interface will be blocked.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          digitalcomposer
          last edited by

          Ok, thanks.

          You mean it is better to test the rules with one pc on vlan voice and try to ping another vlan or lan.

          1 Reply Last reply Reply Quote 0
          • F
            fakircz
            last edited by

            Yes, testing the firewall rules from the firewall itself may be misleading.

            I've been using pfSense for inter-VLAN routing for quite some time now. The logic is simple, you just need to be careful with the rule order. The rules that PASS traffic from one VLAN/subnet to another go first. Then go the rules for VLAN/subnet isolation: BLOCK ANY protocol from ANY (covers hosts with foreign/invalid IPs) to DESTINATION_net. You need one such rule for each VLAN/subnet you want to isolate (usually on both sides). And finally, if you want to give the subnet internet access, you will have to add the PASS anything anywhere rule. That would go last, AFTER the isolation rules.

            Remember, there is an invisible default BLOCK ALL rule, so you don't need to create one yourself.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.