VLAN Firewall not applying

Scorpionking37

Dear people,

I have succesfully create 10 VLANS,
VLAN 1
VLAN 2
VLAN 3
VLAN 4
VLAN 5
VLAN 6
VLAN 7
VLAN 8
VLAN 9
VLAN 10

On VLAN 10 I have create the following rule
VLAN 10

Protocol Source Source Port Destination Destination Port Gateway Queue Schedule Description Actions
IPv4* * * VLAN 1 * * none Deny VLAN 10 -> VLAN 1 enabled (Ping OK, VLAN 1 blockes connection from VLAN 10, get no reply)
IPv4* * * VLAN 2 * * none Deny VLAN 10 -> VLAN 2 enabled (Ping OK, VLAN 2 blockes connection from VLAN 10, get no reply)
IPv4* * * VLAN 3 * * none Deny VLAN 10 -> VLAN 3 enabled (Ping OK, VLAN 3 blockes connection from VLAN 10, get no reply)
IPv4* * * VLAN 4 * * none Deny VLAN 10 -> VLAN 4 enabled (Ping OK, VLAN 4 blockes connection from VLAN 10)
IPv4* * * VLAN 5 * * none Deny VLAN 10 -> VLAN 5 enabled (Ping OK, VLAN 5 blockes connection from VLAN 10, get no reply)
IPv4* * * VLAN 6 * * none Deny VLAN 10 -> VLAN 6 enabled (Ping not OK, VLAN 6 gives reply to VLAN 10, but it needs to be blocked.)
IPv4* * * VLAN 7 * * none Deny VLAN 10 -> VLAN 7 enabled (Ping OK, VLAN 7 blockes connection from VLAN 10, get no reply)
IPv4* * * VLAN 8 * * none Deny VLAN 10 -> VLAN 8 enabled (Ping OK, VLAN 8 blockes connection from VLAN 10, get no reply)
Allow VLAN 10 -> Internet

How can it be that outgoing connection to VLAN 6 still getting reply but it needs to be blocked.
Each VLAN has his own IP address and address range.

Can someone help me?

hieroglyph

@scorpionking37 Your list of rules is hard to read. Please take a screenshot of the rules and post them. A screenshot shows how the rules are actually configured and is the easiest way to help us help you.

I'll try to answer your question with what I think I have read above:
If your goal is to prevent a device on VLAN6 from talking to a device on VLAN10 you want to put the deny rule on the source interface. In this case the source interface is VLAN6.

Interface VLAN6 needs to have the rules which prevent or allow devices on VLAN6 to reach other networks. For example...

Interface: VLAN6 Rule#1

Action: Pass
Interface: VLAN6
Address Family: IPv4
Protocol: ICMP
Protocol Subtype: Echo Reqest
Source: VLAN6_net
Source Port: n/a
Destination: VLAN10_net
Destination Port: n/a
Description: Allow VLAN6 Devices To Ping VLAN10 Devices

Interface: VLAN6 Rule#2

Action: Reject
Interface: VLAN6
Address Family: IPv4
Protocol: Any
Source: VLAN6_net
Source Port: Any
Destination: VLAN10_net
Destination Port: Any
Description: Block All VLAN6 Devices From Reaching VLAN10 Devices

Repeat the above two rules for all the other VLANs that should behave this way.

Interface: VLAN10 RuleX

Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: Any
Source: VLAN10_net
Source Port: Any
Destination: Any
Destination Port: Any
Description: Allow VLAN10 Devices To Internet

Scorpionking37

@hieroglyph Dear Hieroglyph,

What I am trying to do is to get better understanding of the pfsense firewall rules before production.
So here by the networks I have and built plus the rules that must be configured:
WAN (Built-in)
LAN (Built-in)
VLAN 1 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
Alllow incomming connection from: VLAN2, VLAN3, VLAN4, VLAN5, VLAN9
Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

VLAN 2 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
Alllow incomming connection from: VLAN1, VLAN3, VLAN4, VLAN5, VLAN9
Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

VLAN 3 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
Alllow incomming connection from: VLAN1, VLAN2, VLAN4 , VLAN5
Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

VLAN 4 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
Alllow incomming connection from: VLAN1, VLAN2, VLAN3 , VLAN5
Block incomming connection from:LAN, VLAN6, VLAN7, VLAN8, Internet

VLAN 5 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
Alllow incomming connection from: VLAN1, VLAN2, VLAN3 , VLAN4, VLAN9
Block incomming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet

VLAN 6 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN7, VLAN8, VLAN9
Alllow incomming connection from: Internet
Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN7, VLAN8, VLAN9
Alllow outgoing connection to: Internet

VLAN 7 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN8, VLAN9
Alllow incomming connection from: Internet
Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN8, VLAN9
Alllow outgoing connection to: Internet

VLAN 8 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN9
Alllow incomming connection from: Internet
Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN9
Alllow outgoing connection to: Internet

VLAN 9 Block outgoing connections to: LAN, VLAN3, VLAN4, VLAN6 VLAN7, VLAN8, VLAN10
Alllow incomming connection from: Internet
Block incomming connection from: LAN, VLAN3, VLAN4, VLAN6 VLAN7, VLAN8, VLAN10
Alllow outgoing connection to: Internet, VLAN1, VLAN2, VLAN5

VLAN 10 Block outgoing connections to: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN8, VLAN9 and after installing a device on the network block outgoing connection to the internet)
Alllow incomming connection from: Internet with specific ports only such as 22 or 110 , only host on VLAN7 with port alias (PA-test)
Block incomming connection from: LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5, VLAN6, VLAN7, VLAN8, VLAN9
Alllow outgoing connection to: Internet (temporarily)

I have tested your config, but its not working, because from VLAN 10 I can still ping devices and gateway of VLAN 6 that should be blocked.
This applies also to ping devices in VLAN8.

Is the firewall rules based on incomming or outgoing connection?

How should it be configured?
While waiting for your answer, I will also continue in pfsense testing and explore how to configure it.

hieroglyph

@scorpionking37 The most common and recommended technique is to block/reject/pass rules on the incoming interface. Read this whole section in the pfsense docs about firewall and rules.

VLAN 1 Block outgoing connections to: LAN, VLAN6, VLAN7, VLAN8, Internet
If you want block VLAN1 access to LAN, VLAN6, 7, 8, and internet; block/reject rules should go on the VLAN1 interface.

Allow incoming connection from: VLAN2, VLAN3, VLAN4, VLAN5, VLAN9
To allow VLAN2, 3, 4, 5, and 9 access to VLAN1; put pass rules on the VLAN2, 3, 4, 5, and 9 interfaces allowing traffic to VLAN1.

Block incoming connection from: LAN, VLAN6, VLAN7, VLAN8, Internet
To block LAN, VLAN6, 7, and 8 from accessing VLAN1; put block/deny rules on the LAN, VLAN6, 7, and 8 interfaces. The WAN interface comes with a default block all rule (it is hidden). But for learning purposes, a block/reject rule can be put on the WAN interface as well.

Rule order is also very important. It is also explained in the link above.

Advice: Backup your configuration often.

Scorpionking37

@hieroglyph This is what I have done to block a connection from vlan 10 to vlan6

Interface: VLAN10 Rule#1

Action: block
Interface: VLAN10
Address Family: IPv4
Protocol: Any
Source: VLAN10_net
Source Port: Any
Destination: VLAN6_net
Destination Port: Any
Description: Block All VLAN10 Devices From Reaching VLAN6 Devices

On a computer on VLAN10 I ping two devices on VLAN6 and get "Request Timed Out" so far so good, but when I ping the gateway of VLAN6 I get
Reply from <IP gateway>: bytes=32 time=11ms TTL=117
Reply from <IP gateway>: bytes=32 time=9ms TTL=117

But by my understanding if you set Destination: VLAN6_net with Source Port: Any and Destination Port: Any, you shouldn't not be allowed to ping the gateway vlan6 from a computer on vlan10

All other VLANS ping gateways I get respones "Request Timed Out" and connect connect to those device.

The above rule I uses to create a block All VLAN6 Devices From Reaching VLAN10 Devices

Interface: VLAN06 Rule#1

Action: block
Interface: VLAN6
Address Family: IPv4
Protocol: Any
Source: VLAN6_net
Source Port: Any
Destination: VLAN10_net
Destination Port: Any
Description: Block All VLAN6 Devices From Reaching VLAN10 Devices

Also I create a rule on VLAN10 to allow only one device from VLAN7 single host and is to on the table/
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: Any
Source: Single host <VLAN7 IP>
Source Port: Any
Destination: VLAN10_net
Destination Port: Any
Description: Allow VLAN7 single host Devices To VLAN10_net

Is this the good syntax configuration.

Scorpionking37

@scorpionking37 I found out what the problem was, on my computer in vlan there was also a vm-workstation with virtual IP address for host only network.
When disabling This card the computer could not reach vlan 6.
So al so good so far.

But is the allow incomming connection the good for allowing specific devices?

hieroglyph

@scorpionking37 Please take screenshots of your firewall rules. This is the best way for me to help you. Typing single firewall rules does not show me what is above or below that rule which may be allowing VLAN10 devices to ping the VLAN6_address.

You will not be able to put a rule on the VLAN10 interface that allows a specific device on VLAN7 access to VLAN10. What you want to do is move that rule to the VLAN7 interface:

Action: Pass
Interface: VLAN7
Address Family: IPv4
Protocol: Any
Source: Single host <VLAN7 IP>
Source Port: Any
Destination: VLAN10_net
Destination Port: Any
Description: Allow VLAN7 single host Devices To VLAN10_net

Traffic is filtered on the incoming interface, which is VLAN7 in this case. VLAN10 is the outgoing interface and will not filter traffic coming from VLAN7.

Scorpionking37

@hieroglyph Now I understand how pfsense firewall rules works, thanks for the explanation.
This topic can closed now.