Allow traffic between VLANs
-
Just looking for some guidance when setting up my firewall rules.
I have two physical interfaces, one LAN and one WAN.
On the LAN I have 5 OPT interfaces, each assigned to a VLAN.
Each LAN has its own subnet.
I want hosts on VLANs 3-5 to have access to any/all hosts on "VLAN 1" the LAN interface.
I want hosts on VLAN 3 to have access to any/all hosts on VLANs 4 and 5 (but not vice versa).
I want VLANs 2 and 6 to each have access to the internet, but not to each other, or any other VLANs.
Each OPT interface currently has the any to any rule to allow access to the internet.
I imagine that I need rules on LAN to allow VLANs 3-5 to access it, correct?
-
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need to put a rule on VLAN3.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
@KOM said in Allow traffic between VLANs:
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need ot put a rule on VLAN3.
Ok.
-
@KOM said in Allow traffic between VLANs:
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need to put a rule on VLAN3.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
So allowing traffic from VLAN3 to LAN would basically look like this?
Action: Pass
Interface: OPT2 (VLAN3)
TCP/IP Version: IPv4
Protocol: any
Source: OPT2 Net
Destination: LAN net
-
Pretty much. Try it and see for yourself how it behaves. Rules are evaluated top-down, first-match so the order of your rules is just as important as the rule itself.
-
I tried the above rule, but no luck. Tried it first on the OPT interface, then on the LAN interface, then on both. The order didn't make a difference.
-
Show me. Post a screenshot.
-
-
I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.
On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.
-
@KOM said in Allow traffic between VLANs:
I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.
On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly. When you assign a VLAN to an OPT interface, you don't see the VLAN in the rules list, you just see the interface. (Edit: Actually, I've never seen VLANs show up in the rules list regardless of how they're setup)
I'm using VLANs so that I can utilize tagging. Giving them each an interface means I have a larger address space to work with and can have a different DHCP scope for each VLAN.
-
I just tried removing the VLANs from their own interfaces, so they're all just tied to LAN. The VLANs don't show up in the firewall rules page, and I can't setup a rule specific to a VLAN this way.
-
I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me
I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.
-
@KOM said in Allow traffic between VLANs:
I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me
I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.
Right. The name doesn't actually matter. I have it named "Office". I just left it as OPT for simplicity in this test environment.
-
Updated screen shot setup closer to my production environment:
-
@kingrazor said in Allow traffic between VLANs:
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.
As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.
As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.
That's because there's nothing hooked up to that VLAN right this second. There was earlier when I was testing. I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
-
Are you actually using VLAN tagging?
-
-
Can devices on your VLANs access the internet and their own gateway address?
-
@chpalmer said in Allow traffic between VLANs:
Can devices on your VLANs access the internet and their own gateway address?
Yes
-
@kingrazor said in Allow traffic between VLANs:
I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.
-
Just a heads up.. Im in an establishment with a really bright background so please forgive me if I ask something that is obvious above.. :)
-
What subnets are you working with??
Nothing overlapping is there?
-
@chpalmer said in Allow traffic between VLANs:
What subnets are you working with??
Nothing overlapping is there?
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1and so on
-
@kingrazor said in Allow traffic between VLANs:
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1You're missing half the information there. Is it /8 /12 /24 whatever.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
If they can reach the Internet with a wide open any rule, and if there is no additional blockind rule created by you it's likely not a pfSense issue. Probably a local firewall on the devices preventing access from devices outside their subnet. Capture traffic on both pfSense interfaces and see what exactly happens there.
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
VLAN 1 is 10.0.0.1
VLAN 2 is 10.0.2.1
VLAN 3 is 10.0.3.1You're missing half the information there. Is it /8 /12 /24 whatever.
VLAN 1 is 10.0.0.1/24
VLAN 2 is 10.0.2.1/24
VLAN 3 is 10.0.3.1/24and so on
-
@kingrazor said in Allow traffic between VLANs:
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
No it does not. Next time test with a serious OS.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
Interesting, I'd assumed Windows firewall would treat pings the same regardless of subnet. I'll try turning off Windows Firewall and see if I get the same behavior.
No it does not. Next time test with a serious OS.
Oh brother. I'm not going to bother installing an OS that none of my clients will ever use.
-
Windows will treat any out of subnet address as public
unless told otherwise..And Im striking that last comment as Im not sure you can make it treat anything out of its own subnet as a private network.. Others will know better than I..
-
Yep, Windows firewall was the problem. Apparently even allowing ping on public network connections wasn't enough.
So now on each interface I have an allow any rule at the bottom and block/reject rules above that to restrict traffic across VLANs (except where we want it)
