How to set the same VLANs between the switch and PfSense
-
@bob-dig said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
This Askimet spam filter is against me, I didn't post any link and I still can't write the message I need :D
I am with Akismet on this one.
@patch said in How to set the same VLANs between the switch and PfSense:
@jt40 said in How to set the same VLANs between the switch and PfSense:
if there is no rule then is DENY ALL, so all the INBOUND traffic is DENY currently because I have no rule as such
- Rules are evaluated from the top down.
- The first rule which matches is used and no further rules are evaluated.
- If no entered rules match the the packet is dropped / blocked.
So if no rules are entered every packet falls off the bottom of the rule list and is blocked.
I find it simplest to order my rules as
- Allowed local traffic
- Block other local traffic
- Allowed Internet traffic
- Block other Internet traffic
An example of which for LAN2 is:
Thank you.
I see that you have set also the REJECT rules, but my point is, is it not by default?
Precisely, I would expect DROP as by default, not REJECT.Look at the simplest case, if I have a rule do to something, I expect that rule to be evaluated.
If the device asks for something else and the rule is not present, I expect the packets to be dropped automatically...
This is also the easiest way a firewall can work to make my life easier :D -
@jt40 the default is drop, ie just block..
But internally it is sometime better to reject vs just drop. I want to let my internal client you can not go there right away - via a reject. Vs letting it bang its head with retrans trying to figure out why he is not getting an answer.
Externally no you would almost never want to send a reject to something out on the internet.. But internally - if your going to on purpose prevent something like vlan x from talking to vlan y.. its better to just let them know - hey stop trying to go there ;)
If the device asks for something else and the rule is not present, I expect the packets to be dropped automatically...
That is how it works.. If there is not allowed, then traffic dropped gone over this how many times already.. But yet to see a picture of your rules.. You have been told multiple times that pfsense will not route traffic unless there is an allow rule.
If the spam system is preventing you from uploading a picture - then link to it somewhere else, use something like my picture is here somewhere . domain . tld / whatever even if you have to but. But what I can tell you yet again yes default is deny. No rule to allow, traffic is dropped.
If you want to actually see it - then look at the full rule set. Since this default deny is not shown in the gui..
[21.05.2-RELEASE][admin@sg4860.local.lan]/root: pfctl -sr | grep "Default deny rule" block drop in inet all label "Default deny rule IPv4" block drop out inet all label "Default deny rule IPv4" block drop in inet6 all label "Default deny rule IPv6" block drop out inet6 all label "Default deny rule IPv6" [21.05.2-RELEASE][admin@sg4860.local.lan]/root: -
P Patch referenced this topic on
-
P Patch referenced this topic on
