Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Thoughts on my firewall rules and a few questions

    Scheduled Pinned Locked Moved
    Firewalling
    ping failure firewall rules vlans sg-2100
    2
    6
    804
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Johan 2
      last edited by

      Hey guys, I just got my pfSense router configured with some VLANs and wanted some input on how I set up the firewall rules. They seem to work as I intend for the most part, though they probably could be reworked to achieve the same result with less rules, but my main issue is my PC CAN NOT ping across these VLANs. I suspect this has to do with my PC and not the firewall rules because other devices CAN ping across VLANs just as think they should given the firewall rules I set up.

      Below I will include my firewall rules for each of my VLANs, what I'm trying to achieve with this setup, and what I have already tried to troubleshoot this

      Here is what I'm trying to achieve:

      LAN - 172.16.1.1/24 - Only devices on LAN are my unifi switch and AP

      Guest VLAN - 172.16.70.1/24 - VLAN for guest devices (internet access only)

      Home VLAN - 172.16.80.1/24 - VLAN for trusted devices at home (Needs access to NAS on Servers VLAN, and Philips Hue on IoT VLAN)

      Servers VLAN - 172.16.100.1/24 - VLAN for all servers (NAS on Servers VLAN Needs access to IP Cameras on IoT VLAN)

      IoT VLAN - 172.16.200.1/24 - VLAN for Iot devices (internet access only)

      These are the firewall rules I have for each VLAN:

      Screenshot 2023-05-21 at 19-44-35 pfSense.home.arpa - Firewall Rules LAN.png

      Screenshot 2023-05-21 at 19-44-48 pfSense.home.arpa - Firewall Rules SERVERS.png

      Screenshot 2023-05-21 at 19-45-02 pfSense.home.arpa - Firewall Rules IOT.png

      Screenshot 2023-05-21 at 19-45-28 pfSense.home.arpa - Firewall Rules GUEST.png

      Screenshot 2023-05-21 at 19-45-15 pfSense.home.arpa - Firewall Rules HOME.png

      What I have tried:

      1. I have tested the firewall rules I have set up with my macbook connected to wifi on Servers VLAN by disabling a rule to block access to another VLAN pinging that VLAN sucessfuly then enabling the block rule and having the ping fail, so I know the rules are doing what I want so that shouldn't be the issue

      2 . I have tried a different OS - My PC that will not ping between the VLANs dual boots Linux mint and Windows 11. I have tried on both these Operating Systems to ping across VLANs with no success

      1. I have disabled the firewall completely on both Linux and win 11. This does not allow me to ping across VLANs

      2. I have connected the PC in question to the network through the switch on the back of my pfSense router (netgate sg-2100), to the unifi switch connected to the pfSense router, and VIA WiFi. None of these connection methods allow for a ping across VLANs

      Now that you hopefully have enough info about my network setup. These are my questions

      1. Why can't this pc ping but others (VMs and Macbook) can?

      2. If my IP cameras on on the IoT VLAN and the NAS the cameras record to is on the Servers VLAN do I need to allow both VLANs access to each other? Or can I have it set up as it is now, so only the Servers VLAN has access to the IoT VLAN, but IoT has no access to Servers VLAN. ( hopefully this makes sense )

      3. Do my current rules accomplish what I have described here? If yes is there a way to refine them to accomplish the same thing with less rules? and if not how should I change it do achieve what I have described

      4. Any other suggestions you have on things I can improve

      This is my first post here so hopefully that's enough info. Please let me know if you need to know anything else, and thank you for taking the time to read all this. Any thoughts are appreciated, thanks.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @Johan 2
        last edited by

        @johan-2 Your Pc is on Home? Seems like it should work. Its gateway is correct? You can check for an open state when you ping…

        On Guest you may want to block to This Firewall ports 80/443/22 if you don’t want guests to be able to log in to pfSense. Allow DNS though.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        J 1 Reply Last reply Reply Quote 0
        • J
          Johan 2 @SteveITS
          last edited by

          @steveits Yes, the PC is on Home. I just double checked the gateway and it is correct. What does check for an open state mean? I'm fairly new this. and I will block firewall on Guest I didn't think about that thanks.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @Johan 2
            last edited by

            @johan-2 https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

            If you click the link in the states column it will show you open states/connections. If one is created for your ping pfSense is passing the packet and therefore isn’t the issue.

            Usually either a gateway is missing so the connection or reply can’t go anywhere, or a firewall on the target host doesn’t allow connections from a different subnet.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • J
              Johan 2
              last edited by

              @steveits Well, I feel pretty stupid. I didn't think about my VPN so I turned it off and sure enough everything works fine now. Thanks for all your help and quick replies

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @Johan 2
                last edited by

                @johan-2 Ah. Not using pfSense as the gateway, then. :)

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post