VLAN Firewall Rules
-
Been looking clean up my firewall rules and getting rid of a "Allow All" rule at the bottom of every VLAN. I need to basically make sure I understand how they work before I start "cleaning house". So here is what I think I understand:
Looking at my network diagram (linked below), If I need to have laptop "Tom" (10.0.20.10) on VLAN_20 be able to talk to "Home Assistant" (10.0.50.3) on VLAN_50 then I need to place a rule on VLAN_20 that states that:
source: 10.0.20.10 (Tom's IP - static) port: * dest: * port: 8123 (Home Assistant port)
I understand that rule to say that "Tom" can talk to anybody else on any other VLAN as long as the destination port is 8123. I DO NOT need a rule on VLAN_50 though because:
- Once traffic makes it through a interface, the firewall basically doesn't care where it goes (right)?
- pfSense is stateful so traffic in response back to Tom from Home Assistant doesn't require a "allow" rule.
Now if I put a rule on VLAN_50 to block traffic from Tom to Home Assistant, it would not work since the traffic was incoming on the VLAN_20 interface...right (due to point 1 above)?
-
In your example rule, destination should be 10.0.50.3 if you're trying to keep things tight.
-
Correct. Filtration is done at the point of entry to the interface. Once it passes that, it's allowed ot go where its destined.
-
Correct.
-
Correct.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
Also note that existing states aren't affected by a rule change, so reset your states between rule changes via Diagnostics - States - Reset States. You can filter on just the states you're concerned with, or nuke them all.
-