Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Vlans and pfBlockerNG implementation

    pfBlockerNG
    2
    8
    1058
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cburbs last edited by

      I have just started adding Vlans to my network and trying to figure out the proper way to have them also go through pfBlockerNG. From what I have read it seems there might be a few different ways to do it so looking more for the proper.
      It is currently working on my main LAN so now I need to add it to my Vlans.

      Thanks

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @cburbs last edited by

        @cburbs

        Ticking the floating rules options, you will get it enabled to all vlans.
        Selecting the interfaces, would enable it only for the vlans selected.

        74a616db-6cc7-4cc2-a41f-c2199e5181b4-image.png

        "If the world is against the truth, I'm against the world".
        Athanasius of Alexandria

        C 1 Reply Last reply Reply Quote 0
        • C
          cburbs @mcury last edited by

          @mcury

          I have that like you mentioned before but when I am on Vlan4 I can't ping or browse the DNSBL VIP Alias.

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @cburbs last edited by

            @cburbs That happens because you blocked 10.10.10.1 when you blocked internal networks.
            You can simple change your internal networks block rule, to allow only your vlans and not the entire rfc1918.

            Or, create a rule allowing connections to 10.10.10.1

            Did you understand how firewall rules work in our previous conversation?

            "If the world is against the truth, I'm against the world".
            Athanasius of Alexandria

            C 1 Reply Last reply Reply Quote 0
            • C
              cburbs @mcury last edited by cburbs

              @mcury

              Yeah I just added a rule at the top now.

              c3a4c0b2-4cef-4cdd-a480-4e7eba44c1c8-image.png

              I just saw this and assume it would be simliar if enabled.

              5f3ba64e-3248-4720-89a7-6e94c761615a-image.png

              The Floating rule would be easier for setup but I have read people avoid them as it is easier to troubleshoot issues per lan/vlan by assigning rules per lan/vlan. Thoughts/opinions on this one?

              M 1 Reply Last reply Reply Quote 1
              • M
                mcury @cburbs last edited by

                @cburbs Actually, that is totally up to the user..

                In my case, I only filter one VLAN through pfblocker/dnsbl, so I don't use the floating rule feature of pfblocker. I have it only in my LAN.

                Guest, wifi and etc are not being filtered by pfblocker/dnsbl.

                I wouldn't enable that, because if one day, a new vlan is added and this VLAN wouldn't need the pfblocker filter, I would have to change pfblocker setup, instead of just ticking or removing the vlan from pfblocker configuration.

                As I said, that is totally up to the user..

                "If the world is against the truth, I'm against the world".
                Athanasius of Alexandria

                M 1 Reply Last reply Reply Quote 0
                • M
                  mcury @mcury last edited by

                  I never thought about the logs perspective..

                  I think that wouldn't be an issue, as you have the reports tab in pfblocker, which would give you a pretty good summary about what is happening..

                  "If the world is against the truth, I'm against the world".
                  Athanasius of Alexandria

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    cburbs @mcury last edited by

                    @mcury
                    I am just adding each Vlan to the "Outbound Firewall Rules" under the IP tab in pfBlockerNG.

                    Then Each Vlan has this rule towards the top before the block firewall/Internal rules

                    7475b17a-506b-4c43-b709-0b0650b33fc0-image.png

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post