Can I make VLAN interfaces not to listen to SSH and HTTPS



  • Hi all, maybe my question is stupid, but I'll make it because I feel stuck. I have a pfsense with several internal VLANs. Each of these VLANs has of course a VLAN interface. One of these VLANs is the IT VLAN, which has access to everywhere (in the fw rules I have an allow IT VLAN to any for this VLAN).

    From my computer which belongs to IT VLAN, if I try to access the IP address of all of the VLAN interfaces, I see that I can access all of them. But I only want to be able to access my fw from a specific VLAN interface (VLAN 100 - with IP address 10.55.100.1). Do I do this by setting deny rules for these VLAN interfaces, or is there any option to make VLAN interfaces stop listening to HTTPS and SSH?

    Thank in advance!


  • LAYER 8

    Disable webConfigurator anti-lockout rule
    set deny rules for VLAN interfaces to the firewall ip with destination port https / ssh
    be careful not to shut yourself out completely


  • Rebel Alliance Developer Netgate

    While you can't yet change which interfaces the GUI and SSH listens on, you could setup some floating rules to make this easier, something like

    • Pass quick TCP from <your management subnets> to This firewall (self) ports <alias with 443, 22, etc>
    • Reject quick TCP from any to This firewall (self) ports <alias with 443, 22, etc>

    The "This firewall (self)" target expands internally in pf to any address on the firewall.


Log in to reply