Allow traffic between VLANs
-
Just looking for some guidance when setting up my firewall rules.
I have two physical interfaces, one LAN and one WAN.
On the LAN I have 5 OPT interfaces, each assigned to a VLAN.
Each LAN has its own subnet.
I want hosts on VLANs 3-5 to have access to any/all hosts on "VLAN 1" the LAN interface.
I want hosts on VLAN 3 to have access to any/all hosts on VLANs 4 and 5 (but not vice versa).
I want VLANs 2 and 6 to each have access to the internet, but not to each other, or any other VLANs.
Each OPT interface currently has the any to any rule to allow access to the internet.
I imagine that I need rules on LAN to allow VLANs 3-5 to access it, correct?
-
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need to put a rule on VLAN3.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
@KOM said in Allow traffic between VLANs:
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need ot put a rule on VLAN3.
Ok.
-
@KOM said in Allow traffic between VLANs:
You place rules on the interface that the traffic enters, so if you want VLAN3 to access LAN, you need to put a rule on VLAN3.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
So allowing traffic from VLAN3 to LAN would basically look like this?
Action: Pass
Interface: OPT2 (VLAN3)
TCP/IP Version: IPv4
Protocol: any
Source: OPT2 Net
Destination: LAN net -
Pretty much. Try it and see for yourself how it behaves. Rules are evaluated top-down, first-match so the order of your rules is just as important as the rule itself.
-
I tried the above rule, but no luck. Tried it first on the OPT interface, then on the LAN interface, then on both. The order didn't make a difference.
-
Show me. Post a screenshot.
-
-
I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.
On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.
-
@KOM said in Allow traffic between VLANs:
I'm not a VLAN expert, but I don't see a VLAN3 tab on your rules. Btw if you have 5 separate OPT interfaces, why are you using VLANs at all? Usually it's one or the other. You could have created all of your VLANs on LAN without needing any other interfaces.
On my 2.5.0 test box, I created a VLAN10 on LAN and then assigned & enabled it, and it appears on my rules list as a separate tab. Your allow Any rule shows 0 bytes of traffic, so nothing is talking to that interface.
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly. When you assign a VLAN to an OPT interface, you don't see the VLAN in the rules list, you just see the interface. (Edit: Actually, I've never seen VLANs show up in the rules list regardless of how they're setup)
I'm using VLANs so that I can utilize tagging. Giving them each an interface means I have a larger address space to work with and can have a different DHCP scope for each VLAN.
-
I just tried removing the VLANs from their own interfaces, so they're all just tied to LAN. The VLANs don't show up in the firewall rules page, and I can't setup a rule specific to a VLAN this way.
-
I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me
I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.
-
@KOM said in Allow traffic between VLANs:
I'm most likely doing something wrong, but there isn't a lot of other user action going on today so you're stuck with me
I created a VLAN10 on LAN, then assigned it as an interface. You're right in that it is originally labelled OPT1 but I renamed it to VLAN10 and enabled it. Now I have a VLAN10 tab in rules.
Right. The name doesn't actually matter. I have it named "Office". I just left it as OPT for simplicity in this test environment.
-
Updated screen shot setup closer to my production environment:
-
@kingrazor said in Allow traffic between VLANs:
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.
As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.
-
@Grimson said in Allow traffic between VLANs:
@kingrazor said in Allow traffic between VLANs:
I recreated the environment virtually locally so I could do some debugging, hence why the screen shot doesn't match exactly.
As you can see on your screenshots nothing is hitting your rules, even the wide open ones, so first make sure your virtualization software is actual capable of passing/handling tagged VLANs and RTFM how it needs to be configured for it.
That's because there's nothing hooked up to that VLAN right this second. There was earlier when I was testing. I know that the VLANs are working because I'm able to connect to the internet from hosts that I assign to that VLAN.
-
Are you actually using VLAN tagging?
-
-
Can devices on your VLANs access the internet and their own gateway address?
-
@chpalmer said in Allow traffic between VLANs:
Can devices on your VLANs access the internet and their own gateway address?
Yes
