Need help with VLAN ACL question

amrogers3 · Sep 24, 2011, 1:39 AM

So here is the scenario:

I have 3Com 8 port managed switch with 802.1Q to pfSense and tagging enabled.

If I have ACLs set up on each VLAN to prevent VLAN 1 from "talking" to VLAN 2 can device 1 communicate with device 3?

The reason I ask is because I am concerned the traffic will not make it pfSense (and thus activate the pfSense ACL) because the switch will route traffic based upon the MAC address table on the switch, is this correct or no?

Metu69salemi · Sep 24, 2011, 1:04 PM

Assuming that vlans is set correctly:
If you have only L2 switch, then devices 1 and 3 can't talk to each other. and in L3 switch it depends your settings greatly

amrogers3 · Sep 24, 2011, 3:34 PM

@Metu69salemi:

Assuming that vlans is set correctly:
If you have only L2 switch, then devices 1 and 3 can't talk to each other. and in L3 switch it depends your settings greatly

Hi Metu69salemi, thanks for reply. That is a L2 switch. Should have specified that earlier.

One more question, Device 1 and Device 2 can talk to each other without being "routed" on pfSense, correct? Since they are on the same VLAN and their routing will be handled by the switch?

I would like to control communication between device 1 and device 2 on same VLAN. Can you recommend an L2 switch that supports ACLs on each port?

Nachtfalke · Sep 24, 2011, 5:02 PM

@amrogers3:

(…)
One more question, Device 1 and Device 2 can talk to each other without being "routed" on pfSense, correct? Since they are on the same VLAN and their routing will be handled by the switch?
(…)

Yes, they can talk together. Unsure if "routing" is the correct word for this but devices on the same VLAN can talk to each other WITHOUT any extra router (pfsense).

Metu69salemi · Sep 24, 2011, 10:01 PM

you'll have to have multiple ports on router and bridge those interfaces, when one client is in another port and second one at another port, then firewall does control trafic.