Vlan trunking isolation problem SOLVED

jamengual · Nov 10, 2008, 5:29 PM

Hi guys.

I just install a psSense machine connected to a linksys switch with trunking, vlan tagging and so on.

I assigned the interfaces and vlan and create per each vlan different dhcp ranges and is working ok.

The only problem that I have is that pfSense is routing the traffic between vlans, so that means that a computer in Vlan10 can see a computer in Vlan20 and that is not the idea, I want to isolate the vlans complete from each other and give nat and etc per each one.

I found the way to do that creating firewalls rules and groups but….

why if I add a rule for vlan10 to go to any destination it can reach vlan20 ?

there any way to isolate the traffic between vlan on pfSense without creating firewall rules ?

Thanks.

blak111 · Nov 10, 2008, 3:46 AM

You could just modify the current allow rules to say not to your local networks.

jamengual · Nov 10, 2008, 5:34 AM

That what I did.

I create a group with my 13 vlans and then I create a 3 rules in each vlan interface :

One blocking the traffic from that vlan subnet to all the vlans
One allowing the traffic from the vlan subnet to itself
One allowing the traffic from vlan subnet to any

That is the way that I use, but I was thinking in a more easy solution, like the switch itself that not permit traffic between different vlan or like the wireless access point that you can disable the communication peer to peer between clients.

That is my idea, but I don't know if there is any other way to do it.

Thanks.

Perry · Nov 10, 2008, 10:11 AM

What you want is to use a routing switch and in my book it's probably one of the coolest things about pfSense that you don't need one.

Before pfSense:
Firewall -> Routing switch -> Vlan switch
With pfSense:
pfSense -> Vlan switch

So it wouldn't be easier because all the rules would have to be created on the routing switch, leaving pfSense to function as plain cheap old firewall.

I think your maybe are too focus on opt nic's as vlan's and not as lan2 lan3 etc ( did that make sense :) ).

Instead of creating alias with subnet i use CIDR in rules
Block Lan3 net to 192.168.0.0/16 Default block all local subnets

Hope it somehow help ;)

jamengual · Nov 10, 2008, 11:59 AM

That's really make sense.

I never thought about that.

and…the CIDR rules is the way to go, I just realize that my range of per-vlan subnet are all start 192.168.x.x and of course I need only one rule to solve it.

I think that I was to inside of the problem without looking all the possibilities.

Thanks a lot.