Simplied method of preventing inter-VLAN communication


  • I'm setting up a site with several VLANs. I want the management VLAN to be able to communicate with the other VLANs but I don't what the other VLANs to be able to inter-communicate. Instead of setting up a specific rule I though I would just set up a firewall rule on each VLAN that blocks all traffic from the VLAN subnet to an alias called "RFC 1918". That alias includes local network IP ranges. This works well, except devices are unable to connect to the firewall to resolve DNS. That makes sense, but begs the question; How do I create specific exclusions? When I tried to create a rule to allow the VLAN subnet to reach the IP of the firewall it was still being blocked. Right now I have:
    Block VLAN Net to "RFC 1918"
    Allow VLAN Net to Gateway IP
    Allow VLAN Net to All

    Since that doesn't work, I'm thinking maybe the first and second rules need to be switched. If that's the answer, how do I do it with pfBlocker since it will just place both "Allow" rules before the "Block" rule. What part of the process am I missing?


  • @Stewart

    First make a rule to pass what you want, then the block all rule.


  • @Stewart said in Simplied method of preventing inter-VLAN communication:
    Right now I have:

    Block VLAN Net to "RFC 1918"
    Allow VLAN Net to Gateway IP
    Allow VLAN Net to All

    pfSense does "first match" from top.

    So everything (to RFC1918) will match your block rfc1918 , and "die there"

    As jknott wrote:

    Do the RFC1918 allows first , then block all other RFC1918.

    Allow VLAN Net to Gateway IP
    Block VLAN Net to "RFC 1918"
    Allow VLAN Net to All

    Edit: I have no idea about pfBlocker messing with the rules - don't use it
    /Bingo

  • LAYER 8 Moderator

    @bingo600 said in Simplied method of preventing inter-VLAN communication:

    Edit: I have no idea about pfBlocker messing with the rules - don't use it

    hint: it doesn't. it only adds rules about lists it manages and only if you say so.

    so as I don't see anything in those rules about a list from pfbng it has nothing to do with it. If you wanna add pfb rules later or by yourself, don't tell it to"automatically" add rules to interfaces but to create aliases for those lists and create the rules yourself.

  • LAYER 8 Netgate

    For something like passing access from several interfaces to a specific DNS server you can use an interface group.

    Make an interface group containing all of the inside interfaces.

    Create a rule on the interface group that passes TCP/UDP on port 53 to the specific DNS server address or, perhaps, This Firewall (self).


  • I wanted to follow up with how I ultimately got my rules working for when someone stumbles on this in the future.

    1. pfBlocker is set to default rule order
    2. Allow IPv4+6 ICMP from VLAN net to VLAN address on any port = Allow Ping on the Interface
    3. Allow IPv4+6 TCP/UDP from VLAN net to VLAN address on port 53 = Allow DNS resolution on interface
    4. Block IPv4+6 * from VLAN net to RC1918 alias on any port = Block Access to other (V)LAN Networks
    5. Allow IPv4+6 * from VLAN net to any on any port = Allow everything else on interface

    This appears to do exactly what I want so I wanted to share what I've got for anyone else to use in the future if it helps.

  • LAYER 8 Netgate

    @stewart You might want to change Block to Reject so connections get rejected instead of just hanging until they timeout so users get immediate feedback. That is usually preferable to block for connections originating from the inside.

    You might also consider adding a Reject rule near the RFC1918 rule to destination This firewall (self).

    You are also passing IPv6 but are not blocking anything. You might want to do the same with ULA (fc00::/7) and whatever your local IPv6 addresses are whether GUA or RFC4193 or both or whatever.


  • @derelict said in Simplied method of preventing inter-VLAN communication:

    @stewart You might want to change Block to Reject so connections get rejected instead of just hanging until they timeout so users get immediate feedback. That is usually preferable to block for connections originating from the inside.

    Yes, I can see how that would be useful. Thanks.

    You might also consider adding a Reject rule near the RFC1918 rule to destination This firewall (self).

    Why do you think I would need that? With the rules as they are they are unable to get to the GUI or establish an SSH connection. Since the IP of the firewall exists inside of the RFC1918 space it gets blocked. Is there something I'm not seeing?

    You are also passing IPv6 but are not blocking anything. You might want to do the same with ULA (fc00::/7) and whatever your local IPv6 addresses are whether GUA or RFC4193 or both or whatever.

    TBH I don't have much experience with IPv6 and normally have it off. I'm just starting to add it in to see how things behave. I'll look into these, thanks.

  • LAYER 8 Netgate

    @stewart said in Simplied method of preventing inter-VLAN communication:

    Why do you think I would need that? With the rules as they are they are unable to get to the GUI or establish an SSH connection. Since the IP of the firewall exists inside of the RFC1918 space it gets blocked. Is there something I'm not seeing?

    Try connecting to the webgui using your WAN address.


  • @derelict It just times out.

    Edit: Oh, I see. From inside that VLAN. Yes, it opens up. So that rule stops them from connecting to the WAN from the VLAN. I never thought of that. Thanks for that tip! I've put it in and it's working now. And by working, I mean it doesn't connect. :)