Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    FW rules with different vlans

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      z3r0x
      last edited by

      Hi

      I have 4 different VLAN 110,120,130,140 setup and working. Plus I have a WAN interface connected to the internet.

      I was desperately trying to setup some firewall rules to allow VLAN 110 to the internet. My only way it was working was with a Any -> Any rule in the VLAN110 tab.

      I have tried:

      Any -> WAN Subnet
      Any -> WAN Address

      Any as source in the VLAN 110 tab would mean any traffic that is comming from VLAN110 right?
      How can I block all traffic between each vlan except ICMP?
      If I want to allow SSH from VLAN110 to VLAN120 would I need to create a rule in the VLAN110 tab Any -> VLAN120 Subnet?

      Thanks a lot for the clearification.

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper
        last edited by

        Try this first:  (see bottom for more info)
        go to system–>advanced-->firewall/nat-->check "disable negate rules"
        any-->any + force the use of WAN-gateway instead of any gateway. (somewhere near the bottom when you edit a firewall rule)
        (reset states to test)

        If that does not work :
        block each vlan-subnet
        (reset states to test)

        Or update to the 2.1 Beta:
        the "disable negate rules" is allready implemented in 2.0.2 and newer.(i thought it was beta 2.1 only)
        see related post: http://forum.pfsense.org/index.php/topic,48143.0.html

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          I would create an alias that includes all the vlans except the one you want to access the internet.
          I'd then create a rule as such:

          Source: Vlan 110 subnet  |||  Destination: !ALIAS

          This means if the source is Vlan 110, and the destination is anything BUT the other vlans, permit traffic. If you want to allow ICMP, just make sure that rule is above the rule I typed.

          1 Reply Last reply Reply Quote 0
          • Z Offline
            z3r0x
            last edited by

            Hi

            Thanks a lot for your answers. I have created an alias with all vlans except 110. Then I have created a rule to block everything from VLAN110 to the alias. After that I created a rule that allows everything from VLAN110 to any.

            This seems to work. Should be ok like this?

            ![Screen Shot 2013-01-17 at 20.21.56.png](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png)
            ![Screen Shot 2013-01-17 at 20.21.56.png_thumb](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png_thumb)

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              That should work, but if you wanted to be a little more secure change the source from VLAN110net to any for the first rule. With how you have it set now somebody with a different IP on that interface still wouldn't be able to get out, but in the future if you change the way the rules are setup it's better to plan ahead.

              If you plan on using DHCP on that interface, you'll need to allow those without an IP to access the interface.

              How I have mine set up:

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.