Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Firewall Rules

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 394 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      atxcoder
      last edited by

      Been looking clean up my firewall rules and getting rid of a "Allow All" rule at the bottom of every VLAN. I need to basically make sure I understand how they work before I start "cleaning house". So here is what I think I understand:

      Looking at my network diagram (linked below), If I need to have laptop "Tom" (10.0.20.10) on VLAN_20 be able to talk to "Home Assistant" (10.0.50.3) on VLAN_50 then I need to place a rule on VLAN_20 that states that:

      source: 10.0.20.10 (Tom's IP - static)
port: *
dest: *
port: 8123 (Home Assistant port)

      I understand that rule to say that "Tom" can talk to anybody else on any other VLAN as long as the destination port is 8123. I DO NOT need a rule on VLAN_50 though because:

      1. Once traffic makes it through a interface, the firewall basically doesn't care where it goes (right)?
      2. pfSense is stateful so traffic in response back to Tom from Home Assistant doesn't require a "allow" rule.

      Now if I put a rule on VLAN_50 to block traffic from Tom to Home Assistant, it would not work since the traffic was incoming on the VLAN_20 interface...right (due to point 1 above)?

      https://imgur.com/DcIDDLp

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by KOM

        In your example rule, destination should be 10.0.50.3 if you're trying to keep things tight.

        1. Correct. Filtration is done at the point of entry to the interface. Once it passes that, it's allowed ot go where its destined.

        2. Correct.

        3. Correct.

        https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html

        Also note that existing states aren't affected by a rule change, so reset your states between rule changes via Diagnostics - States - Reset States. You can filter on just the states you're concerned with, or nuke them all.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.