VLAN Firewall Rules



  • Been looking clean up my firewall rules and getting rid of a "Allow All" rule at the bottom of every VLAN. I need to basically make sure I understand how they work before I start "cleaning house". So here is what I think I understand:

    Looking at my network diagram (linked below), If I need to have laptop "Tom" (10.0.20.10) on VLAN_20 be able to talk to "Home Assistant" (10.0.50.3) on VLAN_50 then I need to place a rule on VLAN_20 that states that:

    source: 10.0.20.10 (Tom's IP - static)
    port: *
    dest: *
    port: 8123 (Home Assistant port)
    

    I understand that rule to say that "Tom" can talk to anybody else on any other VLAN as long as the destination port is 8123. I DO NOT need a rule on VLAN_50 though because:

    1. Once traffic makes it through a interface, the firewall basically doesn't care where it goes (right)?
    2. pfSense is stateful so traffic in response back to Tom from Home Assistant doesn't require a "allow" rule.

    Now if I put a rule on VLAN_50 to block traffic from Tom to Home Assistant, it would not work since the traffic was incoming on the VLAN_20 interface...right (due to point 1 above)?

    https://imgur.com/DcIDDLp



  • In your example rule, destination should be 10.0.50.3 if you're trying to keep things tight.

    1. Correct. Filtration is done at the point of entry to the interface. Once it passes that, it's allowed ot go where its destined.

    2. Correct.

    3. Correct.

    https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html

    Also note that existing states aren't affected by a rule change, so reset your states between rule changes via Diagnostics - States - Reset States. You can filter on just the states you're concerned with, or nuke them all.


Log in to reply