[SOLVED] VLAN isolation issue



  • I want to start by apologizing because I think I'm missing something painfully obvious.  Ok, with that out of the way, here we go.

    I have a newly created Untrusted VLAN (302) which I would like to only allow access to the internet ie, no other (V)LANs, or intra-VLAN 302 traffic.  I have accomplished everything but the last one, as I am still able to ping/navigate to other hosts on VLAN 302 when I am on that VLAN (other LANs are correctly blocked).

    I am also running an always on OVPN client, in case that somehow comes into play.

    Since a picture is worth a thousand words, I have attached my VLAN 302 rules.

    Thanks in advance for any suggestions!

    ![Screen Shot 2017-12-16 at 7.30.51 PM.png](/public/imported_attachments/1/Screen Shot 2017-12-16 at 7.30.51 PM.png)
    ![Screen Shot 2017-12-16 at 7.30.51 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-16 at 7.30.51 PM.png_thumb)
    ![Screen Shot 2017-12-16 at 7.26.49 PM.png](/public/imported_attachments/1/Screen Shot 2017-12-16 at 7.26.49 PM.png)
    ![Screen Shot 2017-12-16 at 7.26.49 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-16 at 7.26.49 PM.png_thumb)




  • Netgate

    You have to filter same-interface/same-subnet traffic at layer 2 (APs, Switches).

    That traffic is not even sent to the firewall. They ARP for each other and communicate directly.

    If you unplugged pfSense they could still communicate.

    ![Screen Shot 2017-12-16 at 8.06.21 PM.png](/public/imported_attachments/1/Screen Shot 2017-12-16 at 8.06.21 PM.png)
    ![Screen Shot 2017-12-16 at 8.06.21 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-16 at 8.06.21 PM.png_thumb)



  • Welp, that would be the super simple thing that I was missing.  :)  Thanks for the pointer, folks!