Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN to VLAN

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    13 Posts 6 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asterix
      last edited by

      Using the latest AMD64 snapshot.

      I have 3 VLANs. LAN, VoIP and Video. Last I checked all the 3 VLANs were isolated on pfSense and client on one VLAN was not able to ping or communicated with the other two. And that is how I liked it for security and manageability.

      In a typo error I just did a ping from LAN to VoIP and I saw a ping response. I was surprised and checked the third VLAN with similar result. In fact all 3 of my VLANs are able to talk to each other without any issues.

      What could be the cause for this? I have not changed or added any rules. Just updated to the latest snapshot from May 25th snapshot.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Please post your firewall rules for interfaces LAN, VoIP and Video.

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by

          Standard Rules. Same like default LAN. Always had these in.

          ID Proto Source Port Destination Port Gateway Queue Schedule Description

          TCP/UDP VOIP net * * * * none   VoIP

          ID Proto Source Port Destination Port Gateway Queue Schedule Description

          TCP/UDP VIDEO net * * * * none   Video

          ID Proto Source Port Destination Port Gateway Queue Schedule Description

          • LAN net * * * * none   Default allow LAN to any rule
          1 Reply Last reply Reply Quote 0
          • S
            Swordforthelord
            last edited by

            If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

            ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

            TCP/UDP    VOIP net    *    VOIP net  *    *    none        VoIP

            ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

            TCP/UDP    VIDEO net    *    VIDEO net    *    *    none        Video

            ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description

            *    LAN net    *    LAN net    *    *    none        Default allow LAN to any rule

            The only other thing you need is a rule to allow internet access to each VLAN as well; I would provide it but I am in the process of figuring that part out myself.  Assuming your VLANs all have different subnets, perhaps when you tested originally, the devices you pinged had their own firewalls which blocked the traffic from a different subnet and the device you pinged recently does not.  All supposition of course, not knowing all the details of your setup.

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by

              I assume those rules posted are PASS rules rather than BLOCK rules.

              Firewall rules are processed top down, terminating on first match.

              On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

              ID   Proto     Source   Port   Destination   Port   Gateway   Queue   Schedule   Description  
              BLOCK     TCP/UDP    VOIP net    *    VIDEO net      *        *        none             Block VoIPnet to Videonet
              BLOCK     TCP/UDP    VOIP net    *    LANnet         *        *        none             Block  VoIPnet to LAN net        
              ALLOW     TCP/UDP    VOIP net    *    *              *        *        none             Allow VoIP to everywhere else

              You might want to enable logging on some of the block rules to see who is trying to get somewhere they shouldn't go.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                @Swordforthelord:

                If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

                ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
                   
                   TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

                A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

                Steve

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  An even easier solution would be to use aliases.

                  Create an alias containing all your local subnets.
                  Assuming that all your local subnets are RFC1918:

                  Alias: rfc1918_nets
                  10.0.0.0/8
                  172.16.0.0/12
                  192.168.0.0/16

                  Now create a single allow rule with as destination NOT the rfc1918_net alias.

                  ID   Proto     Source   Port   Destination     Port   Gateway   Queue   Schedule   Description  
                  ALLOW     TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none             Allow all destinations except local ones.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • S
                    Swordforthelord
                    last edited by

                    I know, I said that in my post.  :)

                    @stephenw10:

                    @Swordforthelord:

                    If I'm not mistaken, those rules actually allow access between VLANs, not prevent it.  You need to change the rules to something like:

                    ID   Proto   Source   Port   Destination   Port   Gateway   Queue   Schedule   Description   
                       
                       TCP/UDP    VOIP net    *    VOIP net   *    *    none         VoIP

                    A rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      @Swordforthelord
                      Ah OK, should have read more carefully!  :-[

                      Still the rules you have posted there do virtually nothing. They only allow traffic to access services on the pfSense box itself.
                      Clearly there is no need to allow traffic with source subnet123 and destination subnet123 as most of this traffic is not going through pfSense anyway.

                      @GruensFroeschli
                      I use an alias just as you've described however I've always wondered if such an alias does not exist anyway. It seems to be used in the 'block private networks' rule if enabled. Does it exist behind the scenes?

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • A
                        asterix
                        last edited by

                        All,
                        The LAN rule is the default rule set during pfsense install. I did not create it. Other posts on these forums showed how to give the VoIP and Video VLANs access to the internet and that's what I have put in the rules.

                        Furthermore, these rules were in effect since last 4 months with no issues. I was not able to communicate with the other VLANs from one. In fact I had posted this very topic where I was not able to get VLANs talk to each other and I was advised not to do it for security purposes and it made sense.

                        Now the problem I do not want the VLANs seeing or talking to each other. I have not changed anything on the smart switch since the day the network has been configured.

                        Maybe I need to do a clean install of pfSense?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Well I don't understand how that could have happened.  :-
                          The rules you posted here will allow traffic between interfaces.
                          I suggest you do as GruensFroeschli  described above:
                          Create an alias that contains all your local subnets.
                          Change the firewall rules for each interface to allow traffic with destination 'not local subnets'.
                          You will also so have to put in a rule above that to allow access to the pfSense DNS forwarder on port 53 on the VLANs.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • A
                            asterix
                            last edited by

                            I have the same subnet mask (24) across all 3 VLAN's. Could that be an issue?

                            WAN (wan)              -> em0          -> x.x.x.x (DHCP)
                            LAN (lan)                  -> em1_vlan1  -> 10.0.1.1 (earlier it was subnet mask 8, could this be why I couldn't ping other VLANs)
                            VOIP (opt1)              -> em1_vlan2  -> 10.0.2.1
                            VIDEO (opt2)            -> em1_vlan3  -> 10.0.3.1

                            1 Reply Last reply Reply Quote 0
                            • N
                              Nachtfalke
                              last edited by

                              The only way to be sure, that there is no connection/communication between different VLANs is this:
                              @wallabybob:

                              I assume those rules posted are PASS rules rather than BLOCK rules.

                              Firewall rules are processed top down, terminating on first match.

                              On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:

                              ID  Proto    Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
                              BLOCK    TCP/UDP    VOIP net    *    VIDEO net      *        *        none            Block VoIPnet to Videonet
                              BLOCK    TCP/UDP    VOIP net    *    LANnet        *        *        none            Block  VoIPnet to LAN net       
                              ALLOW    TCP/UDP    VOIP net    *    *              *        *        none            Allow VoIP to everywhere else

                              or this one:

                              @GruensFroeschli:

                              An even easier solution would be to use aliases.

                              Create an alias containing all your local subnets.
                              Assuming that all your local subnets are RFC1918:

                              Alias: rfc1918_nets
                              10.0.0.0/8
                              172.16.0.0/12
                              192.168.0.0/16

                              Now create a single allow rule with as destination NOT the rfc1918_net alias.

                              ID  Proto    Source  Port  Destination    Port  Gateway  Queue  Schedule  Description 
                              ALLOW    TCP/UDP    VOIP net    *    !rfc1918_nets    *        *        none            Allow all destinations except local ones.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.