Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    On what interface to place the rule that blocks traffic from other VLANS?

    Firewalling
    3
    3
    121
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      runevn last edited by

      I'm working on setting up VLANs on my home network. However, I have an elementary question regarding on which interface to place filter rules that should block traffic from the other VLANs.

      My initial though was that I should create rules on each VLAN interface blocking traffic and allowing traffic from the other VLANS (other interface sources) and not on the interface where the traffic originates. Also because the GUI allows to filter traffic based on source (ex. other VLANs).

      If I have three VLANs (10, 20, 30) that should be isolated. Where should I place the rules?

      From the documentation I understand that rules should be on the interface where the traffic originates, is that right?

      "In pfSense software, rules on interface tabs are applied on a per-interface basis, always in the inbound direction on that interface. This means traffic initiated from the LAN is filtered using the LAN interface rules." (link to documentation)

      So does this mean that I should create three rules on each VLAN that blocks traffic from going to the other VLANs?

      I'm sorry if this is a very basic question but I have trouble getting my head around where to correctly place the rules. Any help and carifications would be highly appreciated. Thanks.

      johnpoz JKnott 2 Replies Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator @runevn last edited by

        You place the rule(s) where traffic would enter pfsense. You actually pointed to the doc.

        Where would stop someone from using your bathroom in your house. Would you stop them before they entered the house - or would you be in the bathroom and say sorry you can't go here..

        Use an alias that includes all your networks, or better yet all of rfc1918 space.. And use that alias to stop a vlan from going to any of your other vlans. The if yo do want to allow some traffic from vlan X to Y.. Then allow that on X before the rule that blocks access to rfc1918 space.

        Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 22.05 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • JKnott
          JKnott @runevn last edited by

          @runevn

          Here's what I have to keep my guest WiFi from reaching the rest of my network. As you can see, the rules are placed on the network where they originate.

          3272d242-8882-4049-8fcf-caf2cb481b52-image.png

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post