Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLans, Subnets, Block rules

    Firewalling
    3
    3
    693
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Underworld
      last edited by Underworld

      I'm watching these Lawrence Systems videos on Youtube https://youtu.be/ouARr-4chJ8?t=726

      And he's created some VLans - each with a subnet.

      Then he goes to the firewall, explicitly and specifies that a Vlan can send to anything, except the other Vlans. Basically blocking access into other Vlans.

      But by virtue of each VLan having its own subnet - my understanding is that you can't access those other IP ranges in the different subnet, making the blocking from firewall pointless?

      bingo600B johnpozJ 2 Replies Last reply Reply Quote 0
      • bingo600B
        bingo600 @Underworld
        last edited by bingo600

        @underworld
        You are correct about VLANs being segregated on Layer2 (L2), the MAC Layer.
        But on Layer3 (L3) (Routing Layer) it is possible to forward (IP) packets from one VLAN to another.

        pfSense is a L3 device, doing routing.

        Ps:
        pfSense does both L2 + L3 operations.
        In order to do L3, you must support all of the lower layers too.
        Hint: OSI Model
        https://en.wikipedia.org/wiki/OSI_model

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Underworld
          last edited by

          @underworld said in VLans, Subnets, Block rules:

          my understanding is that you can't access those other IP ranges in the different subnet, making the blocking from firewall pointless?

          Huh? How would the internet work if could not access other IP ranges?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.