VLAN to VLAN



  • Using the latest AMD64 snapshot.

    I have 3 VLANs. LAN, VoIP and Video. Last I checked all the 3 VLANs were isolated on pfSense and client on one VLAN was not able to ping or communicated with the other two. And that is how I liked it for security and manageability.

    In a typo error I just did a ping from LAN to VoIP and I saw a ping response. I was surprised and checked the third VLAN with similar result. In fact all 3 of my VLANs are able to talk to each other without any issues.

    What could be the cause for this? I have not changed or added any rules. Just updated to the latest snapshot from May 25th snapshot.



  • Please post your firewall rules for interfaces LAN, VoIP and Video.



  • Standard Rules. Same like default LAN. Always had these in.

    ID Proto Source Port Destination Port Gateway Queue Schedule Description

    TCP/UDP VOIP net * * * * none   VoIP

    ID Proto Source Port Destination Port Gateway Queue Schedule Description

    TCP/UDP VIDEO net * * * * none   Video

    ID Proto Source Port Destination Port Gateway Queue Schedule Description

    • LAN net * * * * none   Default allow LAN to any rule


  • If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

    ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

    TCP/UDP    VOIP net    *    VOIP net  *    *    none        VoIP

    ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

    TCP/UDP    VIDEO net    *    VIDEO net    *    *    none        Video

    ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

    *    LAN net    *    LAN net    *    *    none        Default allow LAN to any rule

    The only other thing you need is a rule to allow internet access to each VLAN as well; I would provide it but I am in the process of figuring that part out myself.  Assuming your VLANs all have different subnets, perhaps when you tested originally, the devices you pinged had their own firewalls which blocked the traffic from a different subnet and the device you pinged recently does not.  All supposition of course, not knowing all the details of your setup.



  • I assume those rules posted are PASS rules rather than BLOCK rules.

    Firewall rules are processed top down, terminating on first match.

    On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

    ID   Proto     Source   Port   Destination   Port   Gateway   Queue   Schedule   Description  
    BLOCK     TCP/UDP    VOIP net    *    VIDEO net      *        *        none             Block VoIPnet to Videonet
    BLOCK     TCP/UDP    VOIP net    *    LANnet         *        *        none             Block  VoIPnet to LAN net        
    ALLOW     TCP/UDP    VOIP net    *    *              *        *        none             Allow VoIP to everywhere else

    You might want to enable logging on some of the block rules to see who is trying to get somewhere they shouldn't go.


  • Netgate Administrator

    @Swordforthelord:

    If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

    ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
       
       TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

    A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

    Steve



  • An even easier solution would be to use aliases.

    Create an alias containing all your local subnets.
    Assuming that all your local subnets are RFC1918:

    Alias: rfc1918_nets
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    Now create a single allow rule with as destination NOT the rfc1918_net alias.

    ID   Proto     Source   Port   Destination     Port   Gateway   Queue   Schedule   Description  
    ALLOW     TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none             Allow all destinations except local ones.



  • I know, I said that in my post.  :)

    @stephenw10:

    @Swordforthelord:

    If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

    ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
       
       TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

    A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

    Steve


  • Netgate Administrator

    @Swordforthelord
    Ah OK, should have read more carefully!  :-[

    Still the rules you have posted there do virtually nothing. They only allow traffic to access services on the pfSense box itself.
    Clearly there is no need to allow traffic with source subnet123 and destination subnet123 as most of this traffic is not going through pfSense anyway.

    @GruensFroeschli
    I use an alias just as you've described however I've always wondered if such an alias does not exist anyway. It seems to be used in the 'block private networks' rule if enabled. Does it exist behind the scenes?

    Steve



  • All,
    The LAN rule is the default rule set during pfsense install. I did not create it. Other posts on these forums showed how to give the VoIP and Video VLANs access to the internet and that's what I have put in the rules.

    Furthermore, these rules were in effect since last 4 months with no issues. I was not able to communicate with the other VLANs from one. In fact I had posted this very topic where I was not able to get VLANs talk to each other and I was advised not to do it for security purposes and it made sense.

    Now the problem I do not want the VLANs seeing or talking to each other. I have not changed anything on the smart switch since the day the network has been configured.

    Maybe I need to do a clean install of pfSense?


  • Netgate Administrator

    Well I don't understand how that could have happened.  :-
    The rules you posted here will allow traffic between interfaces.
    I suggest you do as GruensFroeschli  described above:
    Create an alias that contains all your local subnets.
    Change the firewall rules for each interface to allow traffic with destination 'not local subnets'.
    You will also so have to put in a rule above that to allow access to the pfSense DNS forwarder on port 53 on the VLANs.

    Steve



  • I have the same subnet mask (24) across all 3 VLAN's. Could that be an issue?

    WAN (wan)              -> em0          -> x.x.x.x (DHCP)
    LAN (lan)                  -> em1_vlan1  -> 10.0.1.1 (earlier it was subnet mask 8, could this be why I couldn't ping other VLANs)
    VOIP (opt1)              -> em1_vlan2  -> 10.0.2.1
    VIDEO (opt2)            -> em1_vlan3  -> 10.0.3.1



  • The only way to be sure, that there is no connection/communication between different VLANs is this:
    @wallabybob:

    I assume those rules posted are PASS rules rather than BLOCK rules.

    Firewall rules are processed top down, terminating on first match.

    On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

    ID  Proto    Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
    BLOCK    TCP/UDP    VOIP net    *    VIDEO net      *        *        none            Block VoIPnet to Videonet
    BLOCK    TCP/UDP    VOIP net    *    LANnet        *        *        none            Block  VoIPnet to LAN net       
    ALLOW    TCP/UDP    VOIP net    *    *              *        *        none            Allow VoIP to everywhere else

    or this one:

    @GruensFroeschli:

    An even easier solution would be to use aliases.

    Create an alias containing all your local subnets.
    Assuming that all your local subnets are RFC1918:

    Alias: rfc1918_nets
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    Now create a single allow rule with as destination NOT the rfc1918_net alias.

    ID  Proto    Source  Port  Destination    Port  Gateway  Queue  Schedule  Description 
    ALLOW    TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none            Allow all destinations except local ones.


Locked