Why can my VLAN ping other devices on different subnet?

rasputinthegreatest · Feb 22, 2025, 7:46 AM

I am playing around with VLANs for the first time and it looks like I am missing something.
I have my pfSense box (port 1 for WAN and port 2 for LAN) with a managed switch behind it.
On my managed switch port 5 is connected to my pfSense box. On my managed switch port 1 should be my new VLAN 20 (10.0.20.1/24). Another device is connected on port 6.
I attached screenshots of how it is setup so far. Is my assumption correct that I would need to create a VLAN for port 6 (192.168.1.1/24) as well for both networks to NOT see each other? Because atm I can ping both subnets. Or am I doing the tagging wrong inside my managed switch? Especially the tagging part is a little confusing to me. I have removed port 1 from the default VLAN and tagged port 5 coming from my pfSense box. Any help is appreciated.

login-to-view login-to-view login-to-view login-to-view login-to-view login-to-view

johnpoz · Feb 22, 2025, 8:25 AM

@rasputinthegreatest well yeah they would be able to talk to each other - unless you setup firerwall to not allow them.

What are you rules on these networks.. out of the box lan rule is any any so sure it could talk to any network connected to your pfsense. What are the rules you put on the laptop network?

rasputinthegreatest · Feb 22, 2025, 9:18 AM

@johnpoz This is the rule on the laptop network
https://forum.netgate.com/assets/uploads/files/1740210309453-4.jpg
So if I set it to block instead of pass would I still have internet access on that subnet?

Bob.Dig · Feb 22, 2025, 10:24 AM

@rasputinthegreatest said in Why can my VLAN ping other devices on different subnet?:

So if I set it to block instead of pass would I still have internet access on that subnet?

No? It looks like you are playing around with any LAN for the first time.

rasputinthegreatest · Feb 22, 2025, 10:30 AM

@Bob-Dig I am new to pfsense and firewall rules. I am trying to have separate subnets that can't communicate with each other. Like one for IoT devices and one for my work computer for example. So far I haven't managed to do so with my setup. It looks like this Fritzbox -> pfsense box -> managed switch and I want the ports of the switch to be isolated from each other

Bob.Dig · Feb 22, 2025, 10:34 AM

@rasputinthegreatest said in Why can my VLAN ping other devices on different subnet?:

I am new to pfsense and firewall rules.

Here are two videos for beginners, in German.

rasputinthegreatest · Feb 22, 2025, 11:29 AM

@Bob-Dig Thanks Bob. The extra rules explained in the video did the trick.