Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FW rules with different vlans

    Firewalling
    3
    5
    1246
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      z3r0x last edited by

      Hi

      I have 4 different VLAN 110,120,130,140 setup and working. Plus I have a WAN interface connected to the internet.

      I was desperately trying to setup some firewall rules to allow VLAN 110 to the internet. My only way it was working was with a Any -> Any rule in the VLAN110 tab.

      I have tried:

      Any -> WAN Subnet
      Any -> WAN Address

      Any as source in the VLAN 110 tab would mean any traffic that is comming from VLAN110 right?
      How can I block all traffic between each vlan except ICMP?
      If I want to allow SSH from VLAN110 to VLAN120 would I need to create a rule in the VLAN110 tab Any -> VLAN120 Subnet?

      Thanks a lot for the clearification.

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        Try this first:  (see bottom for more info)
        go to system–>advanced-->firewall/nat-->check "disable negate rules"
        any-->any + force the use of WAN-gateway instead of any gateway. (somewhere near the bottom when you edit a firewall rule)
        (reset states to test)

        If that does not work :
        block each vlan-subnet
        (reset states to test)

        Or update to the 2.1 Beta:
        the "disable negate rules" is allready implemented in 2.0.2 and newer.(i thought it was beta 2.1 only)
        see related post: http://forum.pfsense.org/index.php/topic,48143.0.html

        1 Reply Last reply Reply Quote 0
        • ?
          Guest last edited by

          I would create an alias that includes all the vlans except the one you want to access the internet.
          I'd then create a rule as such:

          Source: Vlan 110 subnet  |||  Destination: !ALIAS

          This means if the source is Vlan 110, and the destination is anything BUT the other vlans, permit traffic. If you want to allow ICMP, just make sure that rule is above the rule I typed.

          1 Reply Last reply Reply Quote 0
          • Z
            z3r0x last edited by

            Hi

            Thanks a lot for your answers. I have created an alias with all vlans except 110. Then I have created a rule to block everything from VLAN110 to the alias. After that I created a rule that allows everything from VLAN110 to any.

            This seems to work. Should be ok like this?

            ![Screen Shot 2013-01-17 at 20.21.56.png](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png)
            ![Screen Shot 2013-01-17 at 20.21.56.png_thumb](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png_thumb)

            1 Reply Last reply Reply Quote 0
            • ?
              Guest last edited by

              That should work, but if you wanted to be a little more secure change the source from VLAN110net to any for the first rule. With how you have it set now somebody with a different IP on that interface still wouldn't be able to get out, but in the future if you change the way the rules are setup it's better to plan ahead.

              If you plan on using DHCP on that interface, you'll need to allow those without an IP to access the interface.

              How I have mine set up:

              1 Reply Last reply Reply Quote 0
              • First post
                Last post