Having trouble with semi complex firewall rules



  • I'm hoping someone can help me figure out the correct rule to get this sorted:

    My network is composed of the default subnet and VLAN 10, which has my Blue Iris video surveillance server on it, as well as all the IP video cams.

    Default subnet can talk to VLAN 10, but VLAN 10 cannot see any machine on default subnet. This is intentional.

    I would like to allow any device on VLAN 10 to communicate using NTP to automatically set time, and I would like 1 host on VLAN 10 to have unrestricted outbound access to the WAN. Otherwise, I want all traffic from VLAN 10 to the WAN blocked (except for NTP and the single host, of course).

    I can easily block traffic from VLAN 10 to the WAN, but I can't figure out how to then allow NTP traffic through, and to allow the single host through. What am I doing wrong?

    Edit: for context, the single host is the computer running Blue Iris. It is exposed to the internet for part of the day on a schedule, so remote viewing can take place. I want that server on its own VLAN in case it gets owned, so it can't talk to pfSense or any other computers. I then want to block all access but NTP for the IP cams, since they may try to phone home to China. Or block WAN access in case they get owned and roped into a botnet.



  • Firewall rules are applied on the interface that the traffic initially enters.  You need to add a pass rule above your block rule on the VLAN10 tab under Firewall Rules that allows NTP for the specified host.



  • @KOM:

    Firewall rules are applied on the interface that the traffic initially enters.  You need to add a pass rule above your block rule on the VLAN10 tab under Firewall Rules that allows NTP for the specified host.

    Thanks, I got it figured out. I <think>part of the problem was that I was assuming the firewall rules were being reloaded quicker than they actually were, so in my testing I wasn't being patient enough for the proper changes to propagate.

    I went through rule by rule and used logic, as you suggested I did, and it all works fine. Thank you!</think>


Log in to reply