VLAN to VLAN

fcx.code

I tried adding rules to the firewall to prevent different VLANs that is connected on the same switch from being able to ping/talk to each other but it does not work. Is it possible?

here is something that I tried to make VLAN4 not being able to communicate with VLAN2

VLAN2 Interface:
BLOCK any from source=VLAN4 to any destination/port

marcelloc

Create rules where comunication begins.

If you want to block vlan4 to vlan2, put this rule on vlan4 interface

focalguy

Yes it is possible but your rule is not correct. It should be:

VLAN2 Interface:
BLOCK any from source=VLAN2 to VLAN4 

Any packets that the VLAN2 interface rule sees will be coming "from" VLAN2 and going out somewhere else so you have to structure the rule that way.

fcx.code

I see… so is there no way to make it so that certain IP, example 123.123.123.123, will be blocked by interface VLAN2???  I can only make a rule in the interface VLAN2's firewall to say that block any packets that its destination is to IP 123.123.123.123 ?

thanks!!  :o

fcx.code

@focalguy:

Yes it is possible but your rule is not correct. It should be:

VLAN2 Interface:
BLOCK any from source=VLAN2 to VLAN4 

Any packets that the VLAN2 interface rule sees will be coming "from" VLAN2 and going out somewhere else so you have to structure the rule that way.

I tried to put that rule into VLAN2, but if I use a client on VLAN4, I can still ping clients on VLAN2.

cmb

@grndluei:

I tried to put that rule into VLAN2, but if I use a client on VLAN4, I can still ping clients on VLAN2.

Different interface. Read
http://doc.pfsense.org/index.php/Firewall_Rule_Basics

fcx.code

BTW, I want to isolate VLAN2 from the rest of the VLANs or any new VLANs that I will be adding. I don't want to make a new rule that tells it to BLOCK packets going to VLAN2 in each new VLAN interface that I create.  That is why I want to add a firewall rule in VLAN2's interface to only allow IPs that I want. Is this possible?

thx

cmb

you can do that with a quick floating rule.

fcx.code

@cmb:

you can do that with a quick floating rule.

Thanks, I got it working by adding a floating rule:

Action: Block
Quick: checked
Interface: VLAN2
Direction: any
Protocol: any
Src: not VLAN2 subnet
Dest VLAN2 subnet

Now I have another question… If i set Direction to OUT, then it works like I want it to.  But if I set it to IN then it doesn't work like I want it to.  Shouldn't this be the other way around?  I am assuming direction refers to packets going IN to VLAN2 or OUT of VLAN2?

Thanks!

cmb

If you're blocking traffic destined to VLAN2, then yes you want out. In on VLAN2 would be traffic initiated on VLAN2.