How to easily block access between multiple VLANs ?

4RR3N

Hi,

I have quite a lot of VLANs where blocking each one individually on its own interface in firewall rules just becomes impractical as it takes too much time to do for each VLAN individually and it generates way too many rules, I need something more dynamic or automated in a way.

To make things easier to manage, I created an Alias with all the VLANs in it then used it in the Block rule, this works so far with only one problem that I came across, I could not get any communication with the VLAN I was plugged into including grabbing IP via DHCP for my client, when I removed the rule, my client got assigned IP address via DHCP and I could browse the internet.

How can I easily block the communication between all the VLANs that I have created with only 1 or no more than 3 rules, is this even achievable ?

Thanks

Patch

@4RR3N When setting up a new interface I

copy common rules from a similar interface.
use a format consisting of 1) local Lan rules. 2) Block all other local traffic 3) Wan rules

As a result rule 2) is identical in all local interfaces. It uses an alias for the valid LAN address ranges

Block inter LAN traffic.jpg

4RR3N

@Patch said in How to easily block access between multiple VLANs ?:

@4RR3N When setting up a new interface I

copy common rules from a similar interface.

use a format consisting of 1) local Lan rules. 2) Block all other local traffic 3) Wan rules

As a result rule 2) is identical in all local interfaces. It uses an alias for the valid LAN address ranges

This still puzzles me, can you provide more in depth explanation ? All I can see on this screenshot is just Aliases being blocked ? It doesn't show how the block rule excludes the VLAN that the firewall rule is run from.

Patch

@4RR3N The aliases cover every recommended LAN address, so the rule blocks transmission from this LAN to any other LAN which you can create (using recommended LAN not WAN addresses).

johnpoz

@4RR3N said in How to easily block access between multiple VLANs ?:

ncluding grabbing IP via DHCP for my client

You can not place a rule that blocks dhcp - because when you enable dhcp hidden rules are created that allow for dhcp before rules you place on the interface or even the floating tab are evaluated.

Vs having rules block vlan x, y and z on your vlan a interface.. As mentioned yes just create an alias that contains all your networks, or for that matter just all of rfc1918 space so you can just use one rule.

Keep in mind you would need to make sure you allow what you want before this rule - say dns, or ntp or icmp to pfsense IP on that interface, etc.