Need Help With Firewall rules and VLAN



  • Hi,

    I've searched the forums for help but it has been confusing for a newb.  Here is what I want to do:
    I have a pfsense box with 4 lans (10,20,30,40).
    -All lans must be able to access the internet
    -Lan 10 must be able to access lans 20,30,40
    -lans 20,30,40 cannot access lan 10.

    I have played around with aliases and firewall rules but can't seem to get the result I want. If anybody could help or post some scree shots that would be of much help.

    Thank You


  • Rebel Alliance

    Post Screenshots of your Rules (Lans 10 20 30 40)



  • 4 networks (vlans) LAN, opt1, opt 2 and opt 3

    So far this is what I got on all four, I have removed all the rules I`ve been playing with and the internet works on all 4 lans. Now I just need to know how to block inter lan communications with the exception of lan to opt1-3.

    I think I need a block rule something like this for lan:
    Source  opt 1 net , destination lan net
    Source  opt 2 net , destination lan net
    Source  opt 3 net , destination lan net






  • Do you want to block only from lan to vlans?

    if so you could do network alias and put there all the vlan subnets.
    after that make a following rule

    
    Action: Block
    Disabled: unchecked
    Interface: LAN
    Protocol: Any
    Source: LAN Subnet
    Destination: select "Single host or alias" and type your newly created alias name to the following box
    Description: something useful
    
    

    Make sure, that this rule is second rule from top



  • No the other way around, I want to block all opt and lan interfaces communicating from each other, ie isolating them to nothing but the internet. 
    opt1 to opt 2, opt 3 and lan = block
    opt2 to opt1, opt3 and lan = block
    opt3 to opt 1, opt2 and lan = block

    While we're at it I also want to block the web configuration portal from all the opt interfaces as well.

    But if possible I would like to be able to communicate from lan to the opt interfaces so that I can configure access points and such.
    lan to opt1, opt2 and opt3 = pass



  • @Metu69salemi:

    if so you could do network alias and put there all the vlan subnets.
    after that make a following rule

    
    Action: Block
    Disabled: unchecked
    Interface: LAN
    Protocol: Any
    Source: LAN Subnet
    Destination: select "Single host or alias" and type your newly created alias name to the following box
    Description: something useful
    
    

    Make sure, that this rule is second rule from top

    After much thinking I took this suggestion and modified it as follows:
    -created 3 aliases (lan, opt2, opt3), (lan, opt1, opt3) and (lan, opt1, opt2)
    -created firewall rules on each opt interface:

    
    Action: Block
    Disabled: unchecked
    Interface: opt1 (opt2, opt3)
    Protocol: Any
    Source: opt1 (opt2, opt3) Subnet
    Destination: Single host or alias , selected alias1 (alias2, alias3)
    Description: something useful
    
    

    Doing this has allowed me to block optx to lan traffic and still have the internet on the optx interfaces.

    I am able to access the optx vlans from lan.

    As for blocking web gui from the optx interfaces, I created an alias with the fixed ips for lan and optx interfaces and created the following rule on the optx interfaces:

    
    Action: Block
    Disabled: unchecked
    Interface: opt1 (opt2, opt3)
    Protocol: tcp/udp
    Source: opt1 (opt2, opt3) Subnet
    Destination: Single host or alias , selected alias_fixed_ips
    Port: 443 (HTTPS)
    Description: something useful
    
    

    That seems to have done the trick.

    If I missed something or if there is a better way of doing it, please let me know.



  • Are the subnets 10/20/30/40 part of the same supernet? If so, you could just block that on every interface.

    i.e. on LAN 192.168.20.0/24 you could just block 192.168.0.0/16 which would contain all other subnets without having to use an alias.

    If you want to use an alias, a single one containing 10/20/30/40 should be enough - traffic destinated at the local subnet won't reach the firewall anyway, so there is no need to have several aliases each containing all but the current subnet.



  • This guide has screenshots about firewalling your VLANS. This is what I have used in the past.

    http://networktechnical.blogspot.com/2007/04/pfsense-how-to-setup-vlans.html


Locked