Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to isolate LAN nodes

    General pfSense Questions
    3
    12
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cubits
      last edited by cubits

      Hi, I am new to netgate and using pfsense+. Following is my network architecture:

      07212e0f-df66-4198-9860-370463471638-image.png

      What I am trying to achieve is to block communication between the nodes at the bottom (192.168.10.x). At the same time, I want to allow specific VPN nodes to communicate with the LAN nodes, and between the LAN nodes on a case by case basis, but basically remain blocked if not allowed.

      I tried giving a firewall entry to block between two nodes, and still they can communicate. What is the best solution I can get for this case?

      L 1 Reply Last reply Reply Quote 0
      • L
        lnguyen @cubits
        last edited by lnguyen

        @cubits Using a managed switch and employing Private VLAN on the ports you want isolated.

        https://kb.vmware.com/s/article/1010691

        C 1 Reply Last reply Reply Quote 1
        • C
          cubits @lnguyen
          last edited by

          @lnguyen is Cisco SG-220 26 port switch a managed one?
          https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/series.html

          L stephenw10S 2 Replies Last reply Reply Quote 0
          • L
            lnguyen @cubits
            last edited by

            @cubits Read the KB I added to my post

            C 2 Replies Last reply Reply Quote 0
            • C
              cubits @lnguyen
              last edited by

              @lnguyen ok, thanks much. I need a coffee to understand it. I will get back if I have anymore queries.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator @cubits
                last edited by

                @cubits said in How to isolate LAN nodes:

                is Cisco SG-220 26 port switch a managed one?

                Yes. You can separate those segments with VLANs using that switch.

                1 Reply Last reply Reply Quote 1
                • C
                  cubits @lnguyen
                  last edited by

                  @lnguyen I read the KB article and looks like it is for installations with vCenter server. But I dont have vCenter server and just have ESXi servers. Does that mean, what I am trying to achieve is not possible with that?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    You can still configured VLANs on the vswitches and pass those to the real switch. Then pass them all to pfSense to filter between them. Each VM could then be in a different subnet and you can filter to/from them as required.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cubits
                      last edited by

                      @lnguyen @stephenw10
                      I tried everything I could, but could not get it working. I created a port group with VLAN id 10 in ESXi:

                      e5241a03-3ae4-419f-b9ae-5a94051617d2-image.png

                      Then I attached a VM's NIC to this VLAN:

                      8759c0c4-f1e2-4ae1-84ab-2b428ba09df6-image.png

                      In my CISCO SG-220 switch, I added VLAN as:

                      f1404b6f-a746-4f85-8f36-863c11cd4819-image.png

                      Ensured that the interfaces are trunk:

                      3128aab7-6bb9-4c88-8ccf-22e6cd35a72e-image.png

                      And then, I enabled VLAN tagging on the respective ports:

                      f5960785-ab65-46ff-8398-5183b5e8634d-image.png

                      And finally, I have the pfsense with the VLAN as:

                      de3650d6-2f43-460a-bd61-48ad8a3ea247-image.png

                      with an interface as:

                      9c26e3c0-454f-467c-a264-a624bc21893a-image.png

                      with DHCP server enabled as:

                      2ed24adc-022d-4976-be5c-83bf9895e141-image.png

                      But, still, I do not get an IP address dynamically inside the VM.

                      What is the best way to troubleshoot this?

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        lnguyen @cubits
                        last edited by

                        @cubits Where is your VLAN10 tag on the Cisco switchport for the uplink to the pfSense firewall?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Yes, which port is which there?

                          1 Reply Last reply Reply Quote 0
                          • C
                            cubits
                            last edited by

                            @lnguyen @stephenw10 that did the trick, thanks much for helping me out, it was GE25 on which pfsense upstream cable was in.

                            1 Reply Last reply Reply Quote 2
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.