VLAN and firewall rules
-
Hi,
I'm trying to move two subnets from LAN and OPT interfaces to VLANs utilizing a ProCurve 1800 switch.
I have most of it working, but firewall rules do not work as intended so I'm wondering if there's something that's not configured right.Pfsense is not directly connected to internet, it's intended use is as a internal firewall to segregate subnets. NAT is disabled. I'm using 1.2.3.
I've setup an interface (em3) as a parent and created VLAN2 and VLAN3 under that. That interface is connected to Procurve port 24, which is configured to accept tagged trafic only, and a member of VLAN2 and VLAN3, no PVID. So I have WAN interface, unused LAN interface and a parent interface for VLANs.Other ports in switch are 1-6 (accept all traffic, PVID 2) and 7-12 (accept all, PVID 3). The other ports are unused.
Both VLANs can access internet and each other, DHCP works for VLAN2 as intended etc. But I'm having hard time grasping how firewall rules are supposed to work in this setting.
For example, I have created a test rule to block ssh on VLAN3 interface from any source to VLAN3 subnet. This has no effect. However, if I create similar rule on WAN interface and try to connect from outside, that works as expected.
Can someone point any reasons why filtering on VLAN interfaces fail? I guess it could be misconfiguration on switch as I'm new to VLANs. Those ports that are only part of a single VLAN and accepting all traffic are also set to be "VLAN aware" and not to perform ingress filtering.
Any responses greatly appreciated.
–Juha
-
For example, I have created a test rule to block ssh on VLAN3 interface from any source to VLAN3 subnet. This has no effect. However, if I create similar rule on WAN interface and try to connect from outside, that works as expected.
In pfSense firewall rules apply on the input side to the box. Hence if you want to block ssh access to VLAN3 subnet from VLAN2 and LAN you need appropriate rules on VLAN2 and LAN. Attempting to block ssh access to VLAN3 with a firewall rule on VLAN3 is only able to block access to VLAN3 FROM VLAN3 which isn't likely to be very useful :-)
I'm not aware of any way in which firewall rules on VLAN interfaces are different from firewall rules on non VLAN interfaces.
-
Thanks, I had misunderstood how filtering is applied but this cleared it.