Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tag all packets from VLAN

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    5 Posts 4 Posters 259 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      evilecho
      last edited by

      Hello All,

      I'm having trouble finding the proper ( most efficient is preferred but easiest is cool too ) way to tag all packets originating from a specific network/subnet or VLAN. I am seeing only two options:

      Option 1 - add the tag to every firewall rule for that vlan/interface.
      Option 2 - create a floating any any match rule for that vlan/interface.

      I'm not overly concerned about CPU or RAM usage, I've got overpowered hardware and I don't think I've seen either of those two metrics surpass 10% utilization for longer than a few seconds.

      Thank you in advance, and sorry if this question makes your eye twitch.

      -EE

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @evilecho
        last edited by

        @evilecho Tags on VLANs happen as they transit the network switches and go in and out of ports.

        What are you trying to explain with this:

        Option 1 - add the tag to every firewall rule for that vlan/interface.
        Option 2 - create a floating any any match rule for that vlan/interface.

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        E 1 Reply Last reply Reply Quote 0
        • E
          evilecho @rcoleman-netgate
          last edited by

          @rcoleman-netgate Sorry for the confusion and for being so general with my ask... and again I apologize for not using the proper lexicon, if that's the case.

          In this situation, I am trying to identify all traffic that is originating (from devices/IPs) from a specific VLAN/Interface and apply a tag regardless of the firewall rules applied. My thought process is this: Regardless of the initial rules defined on the Firewall Interface/VLAN Rules... I'd like to add a tag to all the packets originating from anything coming into that vlan or interface... just in case I'd like to apply another rule after the initial rules were applied. One of the most common cases I've seen for this is to block traffic intended to go out a VPN gateway from exiting a non VPN gateway. The other most common case I've seen this with is for a schedule based firewall rule.

          Thanks.

          JKnottJ Bob.DigB 2 Replies Last reply Reply Quote 0
          • JKnottJ
            JKnott @evilecho
            last edited by

            @evilecho

            What you want to do is create a VLAN and route to it. That way, all the frames will have a VLAN tag. Of course, it will also require a different subnet.

            Perhaps you'd better take another look at the firewall rules to accomplish what you want. Also, if the VPN is down, nothing will be routed over it, but you may get some ICMP messages.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @evilecho
              last edited by

              @evilecho For a vpn-killswitch you only tag the rule with the VPN-gateway set, if you use PBR.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.