Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Firewall not applying

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 330 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Scorpionking37
      last edited by

      Dear people,

      I have succesfully create 10 VLANS,
      VLAN 1
      VLAN 2
      VLAN 3
      VLAN 4
      VLAN 5
      VLAN 6
      VLAN 7
      VLAN 8
      VLAN 9
      VLAN 10

      On VLAN 10 I have create the following rule
      VLAN 10

      Protocol Source Source Port Destination Destination Port Gateway Queue Schedule Description Actions
      IPv4* * * VLAN 1 * * none Deny VLAN 10 -> VLAN 1 enabled (Ping OK, VLAN 1 blockes connection from VLAN 10, get no reply)
      IPv4* * * VLAN 2 * * none Deny VLAN 10 -> VLAN 2 enabled (Ping OK, VLAN 2 blockes connection from VLAN 10, get no reply)
      IPv4* * * VLAN 3 * * none Deny VLAN 10 -> VLAN 3 enabled (Ping OK, VLAN 3 blockes connection from VLAN 10, get no reply)
      IPv4* * * VLAN 4 * * none Deny VLAN 10 -> VLAN 4 enabled (Ping OK, VLAN 4 blockes connection from VLAN 10)
      IPv4* * * VLAN 5 * * none Deny VLAN 10 -> VLAN 5 enabled (Ping OK, VLAN 5 blockes connection from VLAN 10, get no reply)
      IPv4* * * VLAN 6 * * none Deny VLAN 10 -> VLAN 6 enabled (Ping not OK, VLAN 6 gives reply to VLAN 10, but it needs to be blocked.)
      IPv4* * * VLAN 7 * * none Deny VLAN 10 -> VLAN 7 enabled (Ping OK, VLAN 7 blockes connection from VLAN 10, get no reply)
      IPv4* * * VLAN 8 * * none Deny VLAN 10 -> VLAN 8 enabled (Ping OK, VLAN 8 blockes connection from VLAN 10, get no reply)
      Allow VLAN 10 -> Internet

      How can it be that outgoing connection to VLAN 6 still getting reply but it needs to be blocked.
      Each VLAN has his own IP address and address range.

      Can someone help me?

      H 1 Reply Last reply Reply Quote 0
      • H
        hieroglyph @Scorpionking37
        last edited by

        @scorpionking37 Your list of rules is hard to read. Please take a screenshot of the rules and post them. A screenshot shows how the rules are actually configured and is the easiest way to help us help you.

        I'll try to answer your question with what I think I have read above:
        If your goal is to prevent a device on VLAN6 from talking to a device on VLAN10 you want to put the deny rule on the source interface. In this case the source interface is VLAN6.

        Interface VLAN6 needs to have the rules which prevent or allow devices on VLAN6 to reach other networks. For example...

        Interface: VLAN6 Rule#1

        Action: Pass
        Interface: VLAN6
        Address Family: IPv4
        Protocol: ICMP
        Protocol Subtype: Echo Reqest
        Source: VLAN6_net
        Source Port: n/a
        Destination: VLAN10_net
        Destination Port: n/a
        Description: Allow VLAN6 Devices To Ping VLAN10 Devices
        

        Interface: VLAN6 Rule#2

        Action: Reject
        Interface: VLAN6
        Address Family: IPv4
        Protocol: Any
        Source: VLAN6_net
        Source Port: Any
        Destination: VLAN10_net
        Destination Port: Any
        Description: Block All VLAN6 Devices From Reaching VLAN10 Devices
        

        Repeat the above two rules for all the other VLANs that should behave this way.

        Interface: VLAN10 RuleX

        Action: Pass
        Interface: VLAN10
        Address Family: IPv4
        Protocol: Any
        Source: VLAN10_net
        Source Port: Any
        Destination: Any
        Destination Port: Any
        Description: Allow VLAN10 Devices To Internet
        S 1 Reply Last reply Reply Quote 0
        • S
          Scorpionking37 @hieroglyph
          last edited by Scorpionking37

          @hieroglyph Dear Hieroglyph,

          What I am trying to do is to get better understanding of the pfsense firewall rules before production.
          So here by the networks I have and built plus the rules that must be configured:
          WAN (Built-in)
          LAN (Built-in)
          VLAN 1 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
          Alllow incomming connection from: VLAN2, VLAN3, VLAN4, VLAN5, VLAN9
          Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

          VLAN 2 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
          Alllow incomming connection from: VLAN1, VLAN3, VLAN4, VLAN5, VLAN9
          Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

          VLAN 3 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
          Alllow incomming connection from: VLAN1, VLAN2, VLAN4 , VLAN5
          Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

          VLAN 4 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
          Alllow incomming connection from: VLAN1, VLAN2, VLAN3 , VLAN5
          Block incomming connection from:LAN, VLAN6, VLAN7, VLAN8, Internet

          VLAN 5 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
          Alllow incomming connection from: VLAN1, VLAN2, VLAN3 , VLAN4, VLAN9
          Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

          VLAN 6 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN7, VLAN8, VLAN9
          Alllow incomming connection from: Internet
          Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN7, VLAN8, VLAN9
          Alllow outgoing connection to: Internet

          VLAN 7 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN8, VLAN9
          Alllow incomming connection from: Internet
          Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN8, VLAN9
          Alllow outgoing connection to: Internet

          VLAN 8 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN9
          Alllow incomming connection from: Internet
          Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN9
          Alllow outgoing connection to: Internet

          VLAN 9 Block outgoing connections to: LAN, VLAN3, VLAN4, VLAN6 VLAN7, VLAN8, VLAN10
          Alllow incomming connection from: Internet
          Block incomming connection from: LAN, VLAN3, VLAN4, VLAN6 VLAN7, VLAN8, VLAN10
          Alllow outgoing connection to: Internet, VLAN1, VLAN2, VLAN5

          VLAN 10 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN8, VLAN9 and after installing a device on the network block outgoing connection to the internet)
          Alllow incomming connection from: Internet with specific ports only such as 22 or 110 , only host on VLAN7 with port alias (PA-test)
          Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN8, VLAN9
          Alllow outgoing connection to: Internet (temporarily)

          I have tested your config, but its not working, because from VLAN 10 I can still ping devices and gateway of VLAN 6 that should be blocked.
          This applies also to ping devices in VLAN8.

          Is the firewall rules based on incomming or outgoing connection?

          How should it be configured?
          While waiting for your answer, I will also continue in pfsense testing and explore how to configure it.

          H 1 Reply Last reply Reply Quote 0
          • H
            hieroglyph @Scorpionking37
            last edited by hieroglyph

            @scorpionking37 The most common and recommended technique is to block/reject/pass rules on the incoming interface. Read this whole section in the pfsense docs about firewall and rules.

            VLAN 1 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
            If you want block VLAN1 access to LAN, VLAN6, 7, 8, and internet; block/reject rules should go on the VLAN1 interface.

            Allow incoming connection from: VLAN2, VLAN3, VLAN4, VLAN5, VLAN9
            To allow VLAN2, 3, 4, 5, and 9 access to VLAN1; put pass rules on the VLAN2, 3, 4, 5, and 9 interfaces allowing traffic to VLAN1.

            Block incoming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet
            To block LAN, VLAN6, 7, and 8 from accessing VLAN1; put block/deny rules on the LAN, VLAN6, 7, and 8 interfaces. The WAN interface comes with a default block all rule (it is hidden). But for learning purposes, a block/reject rule can be put on the WAN interface as well.

            Rule order is also very important. It is also explained in the link above.

            Advice: Backup your configuration often.

            S 1 Reply Last reply Reply Quote 0
            • S
              Scorpionking37 @hieroglyph
              last edited by

              @hieroglyph This is what I have done to block a connection from vlan 10 to vlan6

              Interface: VLAN10 Rule#1

              Action: block
              Interface: VLAN10
              Address Family: IPv4
              Protocol: Any
              Source: VLAN10_net
              Source Port: Any
              Destination: VLAN6_net
              Destination Port: Any
              Description: Block All VLAN10 Devices From Reaching VLAN6 Devices

              On a computer on VLAN10 I ping two devices on VLAN6 and get "Request Timed Out" so far so good, but when I ping the gateway of VLAN6 I get
              Reply from <IP gateway>: bytes=32 time=11ms TTL=117
              Reply from <IP gateway>: bytes=32 time=9ms TTL=117

              But by my understanding if you set Destination: VLAN6_net with Source Port: Any and Destination Port: Any, you shouldn't not be allowed to ping the gateway vlan6 from a computer on vlan10

              All other VLANS ping gateways I get respones "Request Timed Out" and connect connect to those device.

              The above rule I uses to create a block All VLAN6 Devices From Reaching VLAN10 Devices

              Interface: VLAN06 Rule#1

              Action: block
              Interface: VLAN6
              Address Family: IPv4
              Protocol: Any
              Source: VLAN6_net
              Source Port: Any
              Destination: VLAN10_net
              Destination Port: Any
              Description: Block All VLAN6 Devices From Reaching VLAN10 Devices

              Also I create a rule on VLAN10 to allow only one device from VLAN7 single host and is to on the table/
              Action: Pass
              Interface: VLAN10
              Address Family: IPv4
              Protocol: Any
              Source: Single host <VLAN7 IP>
              Source Port: Any
              Destination: VLAN10_net
              Destination Port: Any
              Description: Allow VLAN7 single host Devices To VLAN10_net

              Is this the good syntax configuration.

              S 1 Reply Last reply Reply Quote 0
              • S
                Scorpionking37 @Scorpionking37
                last edited by

                @scorpionking37 I found out what the problem was, on my computer in vlan there was also a vm-workstation with virtual IP address for host only network.
                When disabling This card the computer could not reach vlan 6.
                So al so good so far.

                But is the allow incomming connection the good for allowing specific devices?

                H 1 Reply Last reply Reply Quote 0
                • H
                  hieroglyph @Scorpionking37
                  last edited by

                  @scorpionking37 Please take screenshots of your firewall rules. This is the best way for me to help you. Typing single firewall rules does not show me what is above or below that rule which may be allowing VLAN10 devices to ping the VLAN6_address.

                  You will not be able to put a rule on the VLAN10 interface that allows a specific device on VLAN7 access to VLAN10. What you want to do is move that rule to the VLAN7 interface:

                  Action: Pass
                  Interface: VLAN7
                  Address Family: IPv4
                  Protocol: Any
                  Source: Single host <VLAN7 IP>
                  Source Port: Any
                  Destination: VLAN10_net
                  Destination Port: Any
                  Description: Allow VLAN7 single host Devices To VLAN10_net

                  Traffic is filtered on the incoming interface, which is VLAN7 in this case. VLAN10 is the outgoing interface and will not filter traffic coming from VLAN7.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    Scorpionking37 @hieroglyph
                    last edited by Scorpionking37

                    @hieroglyph Now I understand how pfsense firewall rules works, thanks for the explanation.
                    This topic can closed now.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.