Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Providing isolation between Vlans!

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    32 Posts 9 Posters 5.9k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      enesas
      last edited by

      Hello
      I have multiple Vlans. and they communicate with each other by default.

      Why doesn't pfsense block it by default?

      I did a lot of research but couldn't figure it out completely. For each vlan, it is necessary to create a rule (alias) for other vlan addresses. but for example this means big business if there are 20 or more vlans.
      How can I isolate them from each other?
      Without too many rules and in a practical way?

      NogBadTheBadN johnpozJ JKnottJ 3 Replies Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad @enesas
        last edited by

        @enesas By default there are no firewall rules when you create a vlan, therefore nothing can talk outside its subnet.

        If you want vlans to only talk to the internet create an alias with all the rfc1918 address space, use it to create a block rule and drag it above the allow rule that I guess that you’ve added.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 1
        • AndyRHA Online
          AndyRH
          last edited by

          From LAN (default in the setup) to other VLANs is allowed by the default 'any to any' rule. VLANs you create are isolated as there are no rules allowing traffic out. Or at least that has been my experience.

          o||||o
          7100-1u

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @enesas
            last edited by

            @enesas said in Providing isolation between Vlans!:

            this means big business

            Well managing and setting up a firewall with proper rules does take a bit of work yes ;) Especially when you have multiple network segments and want to filter between them.

            While you could use floating tab to assign some rules to all interfaces, I believe its a better idea to put specific rules on each interface directly - as this allow for ease of reading rules later, and or editing specific interfaces with different rules at some future point in time.

            An alias with all of rfc1918 space in it can be quite useful in blocking all your other vlans, etc. But you still need to assign rules to allow or block specifically for each interface. For example allowing dns to pfsense IP on that interface, etc.

            While you might think it a PITA, yes setting up a firewall properly does take some effort ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            E 1 Reply Last reply Reply Quote 1
            • E Offline
              enesas @johnpoz
              last edited by

              @johnpoz
              While researching, Perry suggested the following method and I applied it. only DNS pass rule should be defined on top of this rule, otherwise it will not go to the internet. (or you need to give manual dns)
              " Instead of creating alias with subnet i use CIDR in rules
              Block Lan3 net to 192.168.0.0/16 Default block all local subnets"

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @enesas
                last edited by johnpoz

                @enesas said in Providing isolation between Vlans!:

                Instead of creating alias with subnet i use CIDR in rules

                Sure you can do that if easier for you or you like to see the cidr.. But when we say create an alias with all rfc1918 we mean all of them.

                10/8
                192.168/16
                172.16/12

                This way if you decide to use some 10 address or 172.16-31 address space in the future you don't need to edit any rules since those are also blocked, even if not currently using that part of the rfc1918 space.

                Notice my alias is from 2015 ;)

                alias.jpg

                But sure a cidr works just the same.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                E 1 Reply Last reply Reply Quote 0
                • E Offline
                  enesas @johnpoz
                  last edited by

                  @johnpoz thenk you

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @enesas
                    last edited by

                    @enesas

                    Here is what I have on my guest WiFi VLAN. It allows no contact at all with my LAN or router, other than pinging the interface it's connected to.

                    0b37a155-7e92-4f33-903a-53e0a51678b5-image.png

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    johnpozJ J 2 Replies Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @JKnott
                      last edited by

                      @jknott I don't know what you think those rules are going to allow, your first rule there is block rfc1918 source.. Which is before icmp, so only thing that would work is IPv6 ping.

                      So unless you have some floating those rules make no sense. How is bogon going to be source to your wifi vlan interface?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @johnpoz
                        last edited by

                        @johnpoz

                        Ooops! I copied the wrong rules. Here's what I meant to post. The other one is my WAN rules.

                        These are my guest WiFi rules.

                        9ac12615-e439-4c6f-b7b3-41d678ff7fbc-image.png

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        johnpozJ Bob.DigB 2 Replies Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @JKnott
                          last edited by

                          @jknott haha - ok that makes more sense ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • J Offline
                            Jarhead @JKnott
                            last edited by

                            @jknott What's the point of the "Block All"?
                            That's already there without adding that rule.

                            johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @Jarhead
                              last edited by johnpoz

                              @jarhead that rule is set to not log.. So if he was logging default deny (which is default to do).. He would not log any traffic hitting that block before the default deny which would log.

                              Common practice to put in rule like that so you don't log a lot of noise, I have my default log off, and just have a block rule at the end of my wan that logs only "SYN" hits.. And common UDP ports for example.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              J 1 Reply Last reply Reply Quote 0
                              • J Offline
                                Jarhead @johnpoz
                                last edited by

                                @johnpoz Ok, gotcha. Makes sense but I would rather log blocks. Guess I won't be adding a Block All rule. 😀

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @Jarhead
                                  last edited by johnpoz

                                  @jarhead you can log what you want, here are my 2 rules on wan that log stuff I block, and also log some of the stuff I allow.

                                  Notice the little log icons, and the gear which says I did something special with the rule - in my case I only log syn only packets, if its something other like a SA or other out of state traffic that might hit my wan I don't really care to see it.

                                  And UDP - while I don't want to see all the random off the wall upd noise - I do like to see interesting UDP ports and where I am being hit from, etc.

                                  examplewan.jpg

                                  Anything I do not allow still hits the default deny, just not logged because I turned off the option to log default deny rule.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  J 1 Reply Last reply Reply Quote 0
                                  • J Offline
                                    Jarhead @johnpoz
                                    last edited by

                                    @johnpoz Yeah, I got that, was just making a joke because I see no reason to add a Block All rule even if just for logging since you can just turn logging off. Yours I can see because you're logging specific things, but Block All makes no sense to me.

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @Jarhead
                                      last edited by johnpoz

                                      @jarhead only problem is - maybe he wants to see default logs on is lan side interfaces, but not on his wan.

                                      You can't just turn off not log default for specific interfaces - its all or nothing ;) So if he wants to see those logs, but not all the noise on is wan, creating your own catch all block that would be hit before the default that does not log, would accomplish that.

                                      I wouldn't do it the way he is doing it either ;) But hey there are multiple ways to skin a cat..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      1 Reply Last reply Reply Quote 0
                                      • JKnottJ Offline
                                        JKnott @Jarhead
                                        last edited by

                                        @jarhead

                                        I use block on the WAN side, instead of reject, as it makes it appear as nothing is there. A reject will tell incoming traffic it's not allowed, revealing the presence of some device. I'm not sure if the default rule is reject or block.

                                        On internal rules, I use reject, not block.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        J 1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          Jarhead @JKnott
                                          last edited by

                                          @jknott It's block.

                                          block.png

                                          1 Reply Last reply Reply Quote 0
                                          • Bob.DigB Offline
                                            Bob.Dig LAYER 8 @JKnott
                                            last edited by Bob.Dig

                                            @jknott said in Providing isolation between Vlans!:

                                            9ac12615-e439-4c6f-b7b3-41d678ff7fbc-image.png

                                            This is an interesting one: Reject "Prefix".
                                            If your prefix is dynamic, like for most of us who at home get IPv6 from their ISP, it would be nice to have this feature, but not much interest so far it seems. 😞

                                            But I know, jknott will keep his prefix stable by all means and john doesn't care for IPv6 to much. 😉

                                            johnpozJ the otherT JKnottJ 3 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.