Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access for one host to VLAN

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    6 Posts 2 Posters 653 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohanÅ
      last edited by

      Hi all!

      I have multiple different VLANs. They are making my life easier, one of the reasons is IoT and the little peace of mind that with PFSense I can isolate the devices that might have more vulnerabilities to their own VLAN.

      But now I have a bit o dilemma that I need your help with. Simply put the idea is that I have one host on my IoT VLAN that would need an access to so called management VLAN. And only this one host with static IP and only towards one host with static IP. So here is in a "network chart" what I want to do:

      host A (IoT) 192.168.1.101<---> host B 192.168.2.101 (Management)

      But how I can allow this host A to access a host B in another VLAN? Host A just polls some data from Host B so I think it might need to be opened to both directions for these hosts so the Host B can sent the requested data. Both of these VLANs have access to WAN if that makes any difference.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You need a pass rule on Host A's interface to allow it to access Host B. The reply traffic from Host B will be passed automatically.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          JohanÅ
          last edited by

          So I create a FW rule to "IoT" interface where souce is 192.168.1.101 and destination is 192.168.2.101 and allow?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Probably. Depends on what rules are already there.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              JohanÅ
              last edited by

              I did create that rule on IoT VLAN interface but at least ping did not work.

              The rules that I have are
              ALLOW - source IoT network - destination IoT network
              ALLOW - source host A 192.168.1.101 - destination host B 192.168.2.101
              DENY source any - destination all_local_subnets
              ALLOW source any - destination any

              Should the rules be like that?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Please post your rule set not a summary of what you think is there. You left out a lot of key information.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.