• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can I make VLAN interfaces not to listen to SSH and HTTPS

Scheduled Pinned Locked Moved General pfSense Questions
3 Posts 3 Posters 240 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    ChrisT
    last edited by Sep 20, 2019, 9:12 AM

    Hi all, maybe my question is stupid, but I'll make it because I feel stuck. I have a pfsense with several internal VLANs. Each of these VLANs has of course a VLAN interface. One of these VLANs is the IT VLAN, which has access to everywhere (in the fw rules I have an allow IT VLAN to any for this VLAN).

    From my computer which belongs to IT VLAN, if I try to access the IP address of all of the VLAN interfaces, I see that I can access all of them. But I only want to be able to access my fw from a specific VLAN interface (VLAN 100 - with IP address 10.55.100.1). Do I do this by setting deny rules for these VLAN interfaces, or is there any option to make VLAN interfaces stop listening to HTTPS and SSH?

    Thank in advance!

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by kiokoman Sep 20, 2019, 9:53 AM Sep 20, 2019, 9:53 AM

      Disable webConfigurator anti-lockout rule
      set deny rules for VLAN interfaces to the firewall ip with destination port https / ssh
      be careful not to shut yourself out completely

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Sep 20, 2019, 1:00 PM

        While you can't yet change which interfaces the GUI and SSH listens on, you could setup some floating rules to make this easier, something like

        • Pass quick TCP from <your management subnets> to This firewall (self) ports <alias with 443, 22, etc>
        • Reject quick TCP from any to This firewall (self) ports <alias with 443, 22, etc>

        The "This firewall (self)" target expands internally in pf to any address on the firewall.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received