Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    where should i create allow firewall rules (source VLAN or destination VLAN) ?

    Firewalling
    3
    3
    653
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bkalem
      last edited by bkalem

      Hello,

      (02) two VLANs connected to physical switch and routed by pfSense netgate 4100 :

      • VLAN 10: 192.168.10.0/24
      • VLAN 20: 192.168.20.0/24

      i want to allow only VLAN 10 to communication with VLAN 20

      could you please help to understand where the allow firewall rule need to be created ?
      vlan pfsense.JPG

      • in source VLAN 10 : i create the allow firewall rule
        VLAN_10_NETWORK -> VLAN_20_NETWORK
      • in destination VLAN 20 : i create the allow firewall rule
        VLAN_10_NETWORK -> VLAN_20_NETWORK
      • in both source VLAN 10 & destination VLAN_20 : i create the allow firewall rule
        VLAN_10_NETWORK -> VLAN_20_NETWORK

      Thank you per advance for your help

      the otherT johnpozJ 2 Replies Last reply Reply Quote 0
      • the otherT
        the other @bkalem
        last edited by

        @bkalem
        hey there,
        you create rules at the ingoing interface...
        So:
        need to get from VLAN A to VLAN B...set rule pass--Source VLAN A---Destination VLAN B------Ports: any (or what you need) on interface VLAN A.

        Should do the trick...
        :)

        the other

        pure amateur home user, no business or professional background
        please excuse poor english skills and typpoz :)

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @bkalem
          last edited by johnpoz

          @bkalem Traffic is evaluated as it enters the pfsense interface from the network attached.

          if you want vlan 10 to be able to talk to something in vlan 20.. Pfsense see the traffic as it enters the vlan 10 interface from vlan 10, so this is where the rule would go to allow what you want into the destination (vlan 20 net)..

          Unless you create floating rules, pfsense never evaluates traffic as it exits an interface into a network.

          There is no need for a return rule in vlan 20, since the return traffic from vlan 20 to vlan 10 would be allowed by the state that pfsense creates when it allowed the traffic on vlan 10.

          Think of pfsense as a building, your standing in middle of the building. As traffic tries to enter a door from outside the building is where the rules would be evaluated..

          if someone tries to enter your building (pfsense) from vlan 10 into the vlan 10 door, this is where you would allow them to enter or not.. Lets say that traffic was going to vlan 20, then you would allow, but maybe it trying to go t vlan_12 so you deny that.. But the rules are placed on the interface where the traffic would enter the building (pfsense)

          Keep in mind rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.