Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN + Firewall-Rules vs Firewall-Rules only

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    23 Posts 5 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      Edge devices (PCs, servers, printers) are generally not members of more than one VLAN.

      You really have two choices:

      Put the PCs on different firewall segments (VLANs) with probably a different segment for the printer and server. Use firewall rules to determine what can talk with what.

      Use your switch. Put the PCs on protected ports and put the firewall/printer/server on unprotected ports on that VLAN.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I could imagine, that there is the need, that one device is part of more than one vlan."

        I think this is what is confusing you..

        Lets do it this way

        PC - vlan 100, 192.168.1.0/24
        Printer vlan 200 192.168.2.0/24
        Server vlan 300 192.168.3.0/24

        So these ports would be UNtagged in those vlans on your switch for the ports connected to those devices.

        Now the port connected to pfsense could either have 1 of those vlans untagged and to the naked interface.  Or you could tag all 3 and run vlans on top of your naked interface.  I do believe Derelict is the fan of tagging in such a case where your naked interface would not have any network on it.  Your 3 vlans would just sit on the naked interface.  Lets call it em2 on pfsense..

        So you would create 3 vlans that sit on pfsense em2, vlan 100, 200 and 300.

        vlan 100 - 192.168.1.254
        vlan 200 - 192.168.2.254
        vlan 300 - 192.168.3.254

        Now your port on your switch that connects to em2 would be tagged 100,200,300

        If PC wants to talk to printer, he sends traffic to pfsense IP on vlan 100 (his gateway 192.168.1.254)  Pfsense would route that traffic if allowed by firewall rules out vlan 200 interface to the printer.  Printer would send his answer back to pfsense vlan 200 IP 192.168.2.254

        Does that make more sense for your simple example?  Or you could do it this way

        pfsense em2 naked with 192.168.1.0/24 on it (vlan 100) in our example
        vlan 200 and 300 would be vlans that sit on em2

        Now your port connected to pfsense would have vlan 100 untagged (same as your PC) and vlans 200,300 would be tagged.

        I think your confusing that devices need to be in same vlan to talk to each other.. No that is what the router/firewall does it routes the traffic between your vlans.  If your just going to put all the devices in the same vlans..  Might as well just be 1 vlan then..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • D Offline
          Diego_12345
          last edited by

          Hi johnpoz,

          Thank you very much for these explanaitions. I will try this.
          Thanks to Derelict as well.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.