What's needed

Sensi

To create a basic setup of

• Half a dozen vLans (say 2 - 6), which are all separate to each other, but use a shared internet connection.

• A shared VoIP vLan (64) that any of the vLans can access and has access to the internet.

What rules have to be created?  I have them in 'long form' for PF on freeBSD, but not sure what I need to create in pfSense.

marcelloc

Basically three steps:

• Setup all interfaces with correct vlans id(don't use id 1)

• assing ip/netmask on each one

• create allow/deny rules on interface that traffic begins

Samples:

vlan 10 wants to go to internet, so you create at vlan10 interface a rule to allow internet from vlan10.
vlan 10 dont need to talk to vlan 15, so yoy create at vlan10 interface a rule before internet access to block traffic from vlan10 to vlan15

You can also create an alias and include all vlans networks you do not need to intercomunicate and then create rules based on this alias.

Sensi

Thanks,

Out of interest, why not a 1?  Is that just because I said 2-6 or is there something special about 1?

Also, what rules would you make?

marcelloc

Vlan id 1 is already in use by switch.
Start your Setup at id 10.

The rules is up to you and the security level you want to reach.
Allow only traffic you will need is a good start point.

valnar

@marcelloc:

Vlan id 1 is already in use by switch.

By what switch?  Nothing wrong with using ID 1 unless pfSense specifically blocks it. ???

podilarius

@valnar:

@marcelloc:

Vlan id 1 is already in use by switch.

By what switch?  Nothing wrong with using ID 1 unless pfSense specifically blocks it. ???

Any switch. You can use ID1 but that is the default vlan when there is no vlan setup. you can start anywhere you like. Even start at 101 if you like.

richinspirit

@Sensi:

To create a basic setup of

• Half a dozen vLans (say 2 - 6), which are all separate to each other, but use a shared internet connection.

• A shared VoIP vLan (64) that any of the vLans can access and has access to the internet.

What rules have to be created?  I have them in 'long form' for PF on freeBSD, but not sure what I need to create in pfSense.

2-6 is 5 VLANs, so I will go with 5 VLANs + VoIP VLAN for 6 total.

The following is essentially how I set up my pfSense box for my network. It works well for me.
I have 4 configured VLANs and one default management LAN for the Cisco switches I use.
The following would work well in your case, based on your stated requirements, just skip steps you have already done:

Create VLANs in VLAN tab of Assign Interfaces section of the Interface menu

Details depend on the physical layout of your network, but I assume you need to assign all 6 VLANs (2-6, and 64 for VoIP) to the same physical interface on this tab.

Enable, assign, and rename new Opt(N) interfaces

In the first (default) tab of the Assign Interfaces section of pfSense web admin page, add/enable an Opt(ional) interface and assign it to one of the 6 VLANs you created in the VLAN tab earlier. Update the name of the Opt(N) interface to something more useful, like VLAN2, VLAN64, or VoIP. Repeat for all 6 VLANs

Create Firewall Alias for each non-VoIP VLAN:

Alias name: notFromVLANtwo
Alias description: Networks to be inaccessible from VLAN2 by firewall rule
Alias includes “networks”:
<vlan3subnet>(example: 192.168.3.1/24)
<vlan4subnet>(example: 192.168.4.1/24)
<vlan5subnet>(example: 192.168.5.1/24)
<vlan6subnet>(example: 192.168.6.1/24)

Alias name: notFromVLANthree
Alias description: Networks to be inaccessible from VLAN3 by firewall rule
Alias includes “networks”:
<vlan2subnet><vlan4subnet><vlan5subnet><vlan6subnet>Alias name: notFromVLANfour
Alias description: Networks to be inaccessible from VLAN4 by firewall rule
Alias includes “networks”:
<vlan2subnet><vlan3subnet><vlan5subnet><vlan6subnet>Alias name: notFromVLANfive
Alias description: Networks to be inaccessible from VLAN5 by firewall rule
Alias includes “networks”:
<vlan2subnet><vlan3subnet><vlan4subnet><vlan6subnet>Alias name: notFromVLANsix
Alias description: Networks to be inaccessible from VLAN6 by firewall rule
Alias includes “networks”:
<vlan2subnet><vlan3subnet><vlan4subnet><vlan5subnet>Create Firewall Rules for each non-VoIP Interface assigned to a VLAN to block access to other non-VoIP VLANs and to allow access to Internet and VoIP VLAN (and allow access to other interfaces present, if any):

VLAN2 (in order):
(top rule) Block, any protocol, source VLAN2net, port any, destination unique host or alias: alias ‘notFromVLANtwo’, port any
(bottom rule) Allow any protocol, source VLAN2net, port any, destination any, port any

VLAN3 (in order):
(top rule) Block, any protocol, source VLAN3net, port any, destination unique host or alias: alias ‘notFromVLANthree’, port any
(bottom rule) Allow any protocol, source VLAN3net, port any, destination any, port any

VLAN4 (in order):
(top rule) Block, any protocol, source VLAN4net, port any, destination unique host or alias: alias ‘notFromVLANfour’, port any
(bottom rule) Allow any protocol, source VLAN4net, port any, destination any, port any

VLAN5 (in order):
(top rule) Block, any protocol, source VLAN5net, port any, destination unique host or alias: alias ‘notFromVLANfive’, port any
(bottom rule) Allow any protocol, source VLAN5net, port any, destination any, port any

VLAN6 (in order):
(top rule) Block, any protocol, source VLAN6net, port any, destination unique host or alias: alias ‘notFromVLANsix’, port any
(bottom rule) Allow any protocol, source VLAN6net, port any, destination any, port any

Create Firewall Rule for VoIP VLAN Interface to allow access to all non-VoIP VLANs and to allow access to Internet (and allow access to other interfaces present, if any):

(only or bottom rule on VoIP VLAN interface) Allow, any protocol, source VoIP-VLANnet, port any, destination any, port any

…Like I said, this is how I have done it and it works well.</vlan5subnet></vlan4subnet></vlan3subnet></vlan2subnet></vlan6subnet></vlan4subnet></vlan3subnet></vlan2subnet></vlan6subnet></vlan5subnet></vlan3subnet></vlan2subnet></vlan6subnet></vlan5subnet></vlan4subnet></vlan2subnet></vlan6subnet></vlan5subnet></vlan4subnet></vlan3subnet>

Sensi

Rich,

I'll have a detailed read (and test) later.  But, at first glance, your answer seems just what I was looking for.  Thank you so much.

My feeling is that, for rules, all I have to do is create a 'get through' so each vLan can get to the VoIP vLan (but not to each other).  On top of that, I need to create any one-off rules for remote access to specific IP addresses (or global access) on a vLan.

If I didn't have the VoIP vLan and didn't need any specific rules (for remote access) - then I assume it works 'out of the box' with no further configuration required.  Am I right (or am I sounding mad)?

Sensi

Rich had a more detailed read - think I know what to do.  Thank you so much.

It's a paid that you have to GUI everything - text editor would be so much quicker (I have 24 vLans!!!!).

Now, just got to get the internet connection to work!

podilarius

You don't have to GUI. You can backup your config, modify it, and then restore it. Course that will cause a reboot, but you can make major additions and changes by copy paste or find and replace. Used that method several times to change internet ips while keeping the same rules.

richinspirit

@Sensi:

Rich had a more detailed read - think I know what to do.  Thank you so much.

It's a paid that you have to GUI everything - text editor would be so much quicker (I have 24 vLans!!!!).

Now, just got to get the internet connection to work!

You are welcome.

Wow, yes that is a lot of GUI work for that many VLANs.

Feel free to PM me is you would like specific assistance or recommendations.

richinspirit

@podilarius:

You don't have to GUI. You can backup your config, modify it, and then restore it. Course that will cause a reboot, but you can make major additions and changes by copy paste or find and replace. Used that method several times to change internet ips while keeping the same rules.

That is an awesome recommendation. I have a few changes to make for further testing and will give this a try, myself.

Thanks.

Sensi

pod….. is a genius - assuming it works!!

It makes perfect sense - I'm 100% cross with myself for not think of doing that myself (I must be getting old!).

ptt

Yes, as podilarius say, the easyest way to do some "major" changes is editing the config.XML

You make a bakup of your working config, then create a "copy" of that bakup and edit the "copy" then make the needed changes ( i used it to reasign my interfaces ) save it, then upload (restore) the config to your pfSense, "reboot" and "all" your changes are done.

Sensi

Creating these rules will take a bit of time - technically, there are 64 vLans (1-64) and a LAN and a WAN.  Only half a dozen vLans and the VoIP one (which is 64) are in use (I've created everything so far for the full 64 - a bit OTT, I guess!!)

Sensi

I've just had a bit of a worrying thought whilst entering Rich's suggestions.

What I need is for the non VoIP vLans to be secure from access from each other - which he's covered.
I need each vLan to be able to access the VoIP vLan - this also seems covered.
Now the bit that has worried me a bit!!  Anyone who is on the VoIP vLan cannot be allowed access to the vLans - this is the bit that, possibly, seems to still be allowed/possible.

Sensi

I've just entered it all - but hit a problem.

I have a computer on vLan64 and another on vLan7.  They DHCP fine but can't ping each other.  I don't want the 64 net to ping the 7, but I need 7 to have access to the 64.

If I run tracert on 10.7.0.101 'TRACERT 10.64.0.100', it gets to 10.7.0.1 as the first step - but it doesn't get any further.

This suggests a major problem - help!!!

wallabybob

@Sensi:

If I run tracert on 10.7.0.101 'TRACERT 10.64.0.100', it gets to 10.7.0.1 as the first step - but it doesn't get any further.

Have you checked the firewall log (Status -> System Logs, click on the Firewall tab)?

Is 10.64.0.100 configured to respond to tracert?

Sensi

Ahhh

My ping attempts are registering as coming from the WAN rather than vLan3.

I now think I know the problem - just not how to fix it!

Sensi

Maybe it's not blocking my pings - but doing its job?  All the entries are IGMPs with a source of the router a destination of 224.0.0.1 (haven't a clue on that) on the interface of wan

wallabybob

@Sensi:

All the entries are IGMPs with a source of the router a destination of 224.0.0.1 (haven't a clue on that) on the interface of wan

So if the firewall is dropping your traffic to 10.64.0.100 it is not logging it. For now you can ignore those entries in the firewall log which don't have a source IP address of 10.7.0.101 and a destination address of 10.64.0.100.

Please show your firewall rules for VLAN7 including any alias OR go through the rules for VLAN7 yourself to verify that access to vlan64 is allowed.

Another possibility is that 10.64.0.100 has some sort of firewall (e.g. Windows firewall) that is blocking tracert. Please check that out.