VLAN to VLAN
-
Using the latest AMD64 snapshot.
I have 3 VLANs. LAN, VoIP and Video. Last I checked all the 3 VLANs were isolated on pfSense and client on one VLAN was not able to ping or communicated with the other two. And that is how I liked it for security and manageability.
In a typo error I just did a ping from LAN to VoIP and I saw a ping response. I was surprised and checked the third VLAN with similar result. In fact all 3 of my VLANs are able to talk to each other without any issues.
What could be the cause for this? I have not changed or added any rules. Just updated to the latest snapshot from May 25th snapshot.
-
Please post your firewall rules for interfaces LAN, VoIP and Video.
-
Standard Rules. Same like default LAN. Always had these in.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VOIP net * * * * none VoIP
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VIDEO net * * * * none Video
ID Proto Source Port Destination Port Gateway Queue Schedule Description
- LAN net * * * * none Default allow LAN to any rule
-
If I'm not mistaken, those rules actually allow access between VLANs, not prevent it. You need to change the rules to something like:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VOIP net * VOIP net * * none VoIP
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VIDEO net * VIDEO net * * none Video
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* LAN net * LAN net * * none Default allow LAN to any rule
The only other thing you need is a rule to allow internet access to each VLAN as well; I would provide it but I am in the process of figuring that part out myself. Assuming your VLANs all have different subnets, perhaps when you tested originally, the devices you pinged had their own firewalls which blocked the traffic from a different subnet and the device you pinged recently does not. All supposition of course, not knowing all the details of your setup.
-
I assume those rules posted are PASS rules rather than BLOCK rules.
Firewall rules are processed top down, terminating on first match.
On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
BLOCK TCP/UDP VOIP net * VIDEO net * * none Block VoIPnet to Videonet
BLOCK TCP/UDP VOIP net * LANnet * * none Block VoIPnet to LAN net
ALLOW TCP/UDP VOIP net * * * * none Allow VoIP to everywhere elseYou might want to enable logging on some of the block rules to see who is trying to get somewhere they shouldn't go.
-
If I'm not mistaken, those rules actually allow access between VLANs, not prevent it. You need to change the rules to something like:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VOIP net * VOIP net * * none VoIPA rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!
Steve
-
An even easier solution would be to use aliases.
Create an alias containing all your local subnets.
Assuming that all your local subnets are RFC1918:Alias: rfc1918_nets
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16Now create a single allow rule with as destination NOT the rfc1918_net alias.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
ALLOW TCP/UDP VOIP net * !rfc1918_nets * * none Allow all destinations except local ones. -
I know, I said that in my post. :)
If I'm not mistaken, those rules actually allow access between VLANs, not prevent it. You need to change the rules to something like:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP/UDP VOIP net * VOIP net * * none VoIPA rule configured as above, assuming this is an 'allow' rule, would allow access only to the VOIP subnet. You would not have internet access with this rule!
Steve
-
@Swordforthelord
Ah OK, should have read more carefully! :-[Still the rules you have posted there do virtually nothing. They only allow traffic to access services on the pfSense box itself.
Clearly there is no need to allow traffic with source subnet123 and destination subnet123 as most of this traffic is not going through pfSense anyway.@GruensFroeschli
I use an alias just as you've described however I've always wondered if such an alias does not exist anyway. It seems to be used in the 'block private networks' rule if enabled. Does it exist behind the scenes?Steve
-
All,
The LAN rule is the default rule set during pfsense install. I did not create it. Other posts on these forums showed how to give the VoIP and Video VLANs access to the internet and that's what I have put in the rules.Furthermore, these rules were in effect since last 4 months with no issues. I was not able to communicate with the other VLANs from one. In fact I had posted this very topic where I was not able to get VLANs talk to each other and I was advised not to do it for security purposes and it made sense.
Now the problem I do not want the VLANs seeing or talking to each other. I have not changed anything on the smart switch since the day the network has been configured.
Maybe I need to do a clean install of pfSense?
-
Well I don't understand how that could have happened. :-
The rules you posted here will allow traffic between interfaces.
I suggest you do as GruensFroeschli described above:
Create an alias that contains all your local subnets.
Change the firewall rules for each interface to allow traffic with destination 'not local subnets'.
You will also so have to put in a rule above that to allow access to the pfSense DNS forwarder on port 53 on the VLANs.Steve
-
I have the same subnet mask (24) across all 3 VLAN's. Could that be an issue?
WAN (wan) -> em0 -> x.x.x.x (DHCP)
LAN (lan) -> em1_vlan1 -> 10.0.1.1 (earlier it was subnet mask 8, could this be why I couldn't ping other VLANs)
VOIP (opt1) -> em1_vlan2 -> 10.0.2.1
VIDEO (opt2) -> em1_vlan3 -> 10.0.3.1 -
The only way to be sure, that there is no connection/communication between different VLANs is this:
@wallabybob:I assume those rules posted are PASS rules rather than BLOCK rules.
Firewall rules are processed top down, terminating on first match.
On VoIP interface, to allow access to the internet and block access to LAN subnet AND Video subnet you could use a ruleset like the following:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
BLOCK TCP/UDP VOIP net * VIDEO net * * none Block VoIPnet to Videonet
BLOCK TCP/UDP VOIP net * LANnet * * none Block VoIPnet to LAN net
ALLOW TCP/UDP VOIP net * * * * none Allow VoIP to everywhere elseor this one:
An even easier solution would be to use aliases.
Create an alias containing all your local subnets.
Assuming that all your local subnets are RFC1918:Alias: rfc1918_nets
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16Now create a single allow rule with as destination NOT the rfc1918_net alias.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
ALLOW TCP/UDP VOIP net * !rfc1918_nets * * none Allow all destinations except local ones.
