How to Block access to Admin SSH/WebGUI from VLANs



  • I've got a bunch of VLANS set up that are trunked into pfSense from an SG300 Switch.

    I want to block ADMIN access on many of the VLANS.  For Discussion use the follow setup:

    LAN defaults to VLAN 1 - 192.168.0.1/24, but I'm not using it for anything - em1 - only used to attach interfaces for other VLANs.

    VLAN 10 - 192.168.10.1/24 - No Access to WEB/SSH
    VLAN 20 - 192.168.20.1/24 - Want Admin Access
    VLAN 30 - 192.168.30.1/24 - No Access to WEB/SSH
    VLAN 40 - 192.168.40.1/24 - Want Admin Access
    VLAN 50 - 192.168.50.1/24 - No Access to WEB/SSH
    VLAN 60 - 192.168.60.1/24 - No Access to WEB/SSH

    What address do I firewall?  192.168.x.1 is the gateway, and it's also the IP address where ssh/http(s), listen so I can't block it can I - otherwise I would kill my connection.

    I've looked though https://doc.pfsense.org, and looked at Google, but I can't find anything relevant.

    Any assistance would be much appreciated.

    (I got the pfSense Gold hoping that I would find something there by way of case studies/examples of the type of thing that an advanced home/small business user would like to do. Ex: A couple of VLANs with access to internet, but isolation from each other and sensible firewall rules (with/without access to the admin interface on pfSense.)  There's bits and pieces all over the internet, but putting them together is a real challenge.  Documentation seems to either be way too simple, or for the enterprise network engineer.  Some by example cases (maybe even a config that could be imported into the virtual machine firewall would really add value for the pfSense Gold membership.)


  • Rebel Alliance

    You "Block" traffic destined to "This Firewall"  ;)

    https://forum.pfsense.org/index.php?topic=126736.msg699921#msg699921



  • @ptt:

    You "Block" traffic destined to "This Firewall"  ;)

    https://forum.pfsense.org/index.php?topic=126736.msg699921#msg699921

    Thanks, I think that gave me what I needed to figure it out.

    I tried this in the floating rules, and I'm not sure why, but it didn't work.

    The alias source VM_LANS is a list of all the "Nets" (192.168.10.0/24,192.168.30.1/24, 192.168.50.1/24, 192.168.60.1/24)  that I want to block access for.

    So I put the following into the rules for each interface and it seemed to do the job.

    Can someone tell me  (or give me hint as to how to figure it out) why the floating rules failed?






  • I want to give it something to come up with something that must have something right.