Difference between Source = Any vs Source = Specific Vlan
-
Hello everyone
I have this question that's been bothering me for a while now. I have several vlans created on my XG-7100 pfsense box. New vlans created do not have their rules auto created for them, unlike the default vlan. Whenever I create a rule for my new vlan lets say vlan 20 which is a Sales vlan for instance, that will allow Internet access (this is a wide open rule which allows intervlan routings too) , I have two options in the source to choose from. You either can set Source to Sales Net
or you can set Source to Any
I always prefer to set source to a specific vlan. So the question is which option is the most recommended one. I see lot of people go with the second option why ?
-
@wintok
A good advice is to state only the respective subnet as source in pass rules, but any in block rules.
So you limit the allowed traffic to exactly what you want and block any other, without the need to care, what exactly. -
@wintok I always use the specific vlan of the interface as source, any would be viable for a transit network your setting up and you might be adding future downstream networks that are routed through the transit.
But rules should always be as specific as possible.. I wouldn't use any on a vlan that should only ever see traffic from the specific vlan.. The only time you should ever see traffic from anything else would be if your using this interface as a transit network.
-
@johnpoz Appreciate your prompt reply and thank you very much
-
@viragomann Appreciate your prompt reply and thank you very much
