Rules for multiple VLANs (part2)
MrD last edited by
Following these posts and the very helpfull informations from GruensFroeschli, I have a question (in fact 2 questions):
I do such setups all the time.
Create an alias containing all the subnets you have. (in screenshot called "local_subnets")
1: The first rule is to ensure access to the pfSense itself to be able to access the DNS-forwarder.
2: The second rule is multiWAN specific
3: The third rule is what interests you. The destination is set to : "NOT local_subnets"
Like this users from the specific subnet can access anything except the subnets you defined in "local_subnets"
1: Create an alias containing all your vlans.
2: Create a single "allow" rule with
destionation: !youralias (NOT your alias)
3: Repeat 2. on each VLAN interface.
Like this traffic to the internet will be allowed, but traffic to your vlans will be denied by the default block all rule.
GruensFroeschli's config allow traffic to internet and block traffic between VLANs.
With the same kind of rules, how to allow traffic to internet but a restrictive way (Only http, https, smtp, smtps, pop, pop3…)?
I have created an alias containing all allowed outgoing ports. Let's call it "out_allow". Where is it best to put a rule containing this alias and how to write this rule the best way?
Second question: how to mainly block inter-VLAN traffic but(!) allowing some exceptions? For exemple allowing acces to one printer used by different VLANs.
Where is it best to put the rule(s) allowing inter-VLAN traffic and how to write this rule the best way?
The goal is to block most of inter-VLAN traffic and only allow some traffic to internet (not all) in a multi VLAN network.
If you have these kind of config, if you are also interested by these these two questions don't hesitate. If you need more informations about my questions or if my english is not understable... don't hesitate to tell me.
Thanks for your help, advises, informations, questions.