Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolating vlans

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 372 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nullvalue
      last edited by

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • awebsterA Offline
        awebster
        last edited by

        There are a few ways to approach this problem; my favorite is to create an alias called RFC_1918 and put all the non routable IP subnets in it (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16); you might also want to also add some of the illegal/special use (RFC 6890) subnets that shouldn't appear on the Internet.
        Then, in each vlan ruleset, a single before-last rule that says block from this-net to RFC_1918. Any explicit access can be granted prior to this rule, and the last rule is the allow this-net to any rule to get out to the Internet.
        Unless you are using non-private IPs internally, this will work fine, and will catch any future expansion.

        Similarly, you could create an alias called internal_vlans and put all your internal vlans in it, and using the same rule structure, you will prevent vlans from talking to each other unless explicitly allowed. This doesn't scale quite as well, as you need to add any new vlans to the internal_vlans alias, but it does allow you to use other subnets than the standard non-routable ones.

        –A.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.