On what interface to place the rule that blocks traffic from other VLANS?
-
I'm working on setting up VLANs on my home network. However, I have an elementary question regarding on which interface to place filter rules that should block traffic from the other VLANs.
My initial though was that I should create rules on each VLAN interface blocking traffic and allowing traffic from the other VLANS (other interface sources) and not on the interface where the traffic originates. Also because the GUI allows to filter traffic based on source (ex. other VLANs).
If I have three VLANs (10, 20, 30) that should be isolated. Where should I place the rules?
From the documentation I understand that rules should be on the interface where the traffic originates, is that right?
"In pfSense software, rules on interface tabs are applied on a per-interface basis, always in the inbound direction on that interface. This means traffic initiated from the LAN is filtered using the LAN interface rules." (link to documentation)
So does this mean that I should create three rules on each VLAN that blocks traffic from going to the other VLANs?
I'm sorry if this is a very basic question but I have trouble getting my head around where to correctly place the rules. Any help and carifications would be highly appreciated. Thanks.
-
You place the rule(s) where traffic would enter pfsense. You actually pointed to the doc.
Where would stop someone from using your bathroom in your house. Would you stop them before they entered the house - or would you be in the bathroom and say sorry you can't go here..
Use an alias that includes all your networks, or better yet all of rfc1918 space.. And use that alias to stop a vlan from going to any of your other vlans. The if yo do want to allow some traffic from vlan X to Y.. Then allow that on X before the rule that blocks access to rfc1918 space.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
-
Here's what I have to keep my guest WiFi from reaching the rest of my network. As you can see, the rules are placed on the network where they originate.