VLAN to VLAN
-
I tried adding rules to the firewall to prevent different VLANs that is connected on the same switch from being able to ping/talk to each other but it does not work. Is it possible?
here is something that I tried to make VLAN4 not being able to communicate with VLAN2
VLAN2 Interface:
BLOCK any from source=VLAN4 to any destination/port -
Create rules where comunication begins.
If you want to block vlan4 to vlan2, put this rule on vlan4 interface
-
Yes it is possible but your rule is not correct. It should be:
VLAN2 Interface: BLOCK any from source=VLAN2 to VLAN4
Any packets that the VLAN2 interface rule sees will be coming "from" VLAN2 and going out somewhere else so you have to structure the rule that way.
-
I see… so is there no way to make it so that certain IP, example 123.123.123.123, will be blocked by interface VLAN2??? I can only make a rule in the interface VLAN2's firewall to say that block any packets that its destination is to IP 123.123.123.123 ?
thanks!! :o
-
Yes it is possible but your rule is not correct. It should be:
VLAN2 Interface: BLOCK any from source=VLAN2 to VLAN4
Any packets that the VLAN2 interface rule sees will be coming "from" VLAN2 and going out somewhere else so you have to structure the rule that way.
I tried to put that rule into VLAN2, but if I use a client on VLAN4, I can still ping clients on VLAN2.
-
@grndluei:
I tried to put that rule into VLAN2, but if I use a client on VLAN4, I can still ping clients on VLAN2.
Different interface. Read
http://doc.pfsense.org/index.php/Firewall_Rule_Basics -
BTW, I want to isolate VLAN2 from the rest of the VLANs or any new VLANs that I will be adding. I don't want to make a new rule that tells it to BLOCK packets going to VLAN2 in each new VLAN interface that I create. That is why I want to add a firewall rule in VLAN2's interface to only allow IPs that I want. Is this possible?
thx
-
you can do that with a quick floating rule.
-
@cmb:
you can do that with a quick floating rule.
Thanks, I got it working by adding a floating rule:
Action: Block
Quick: checked
Interface: VLAN2
Direction: any
Protocol: any
Src: not VLAN2 subnet
Dest VLAN2 subnetNow I have another question… If i set Direction to OUT, then it works like I want it to. But if I set it to IN then it doesn't work like I want it to. Shouldn't this be the other way around? I am assuming direction refers to packets going IN to VLAN2 or OUT of VLAN2?
Thanks!
-
If you're blocking traffic destined to VLAN2, then yes you want out. In on VLAN2 would be traffic initiated on VLAN2.