Help understanding filtering vlan traffic, and best practices



  • Hello,
    I was reintroducing pfblocker into my network and noticed that with vlans it blocks all traffic regardless of which virtual interface I select. I use NAT:PORTFORWAD to redirect each vlans traffic to the virtual interfaces ip address to force users to use pfsense's local dns resolver. My firewall rules are set up in such a way that traffic from each interface should not leak into the other. An example would be if I tried to ssh from vlan 1 to vlan 2, vlan2 would block traffic out. Is anyone else filtering dns vlan traffic and what is the best practice? I have a network switch that connects to the single Ethernet port on the pfsense box.


  • Netgate

    A VLAN interface is just like any other interface as far as pfSense and the packages are concerned.



  • When I enable pfblocker the listening interface is set to vlan1 and the outbound interface is set to vlan2. Traffic on vlan2 is being blocked by pfblocker. I do not have any floating rules. I am trying to figure out why vlan2 traffic is being filtered.


  • Moderator

    @mich04 said in Help understanding filtering vlan traffic, and best practices:

    When I enable pfblocker the listening interface is set to vlan1 and the outbound interface is set to vlan2

    I think you may be mixing up IP and DNSBL.

    IP works on Firewall Rules, and DNSBL works on DNS.

    You can configure the IP rules to specific interfaces, but for DNSBL you have to use a different DNS Server for vlans that you don't want filtered via DNSBL.

    Alternatively, you can use the Unbound Views option, but that will require some manual intervention:
    https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips



  • Got yea so even if you change the listening interface under the tab dnsbl from Lan to one of the Vlans it doesn't matter because as long pfsense is resolving all DNS queries they will be filtered. Thanks for the info.