FW rules with different vlans

  • Hi

    I have 4 different VLAN 110,120,130,140 setup and working. Plus I have a WAN interface connected to the internet.

    I was desperately trying to setup some firewall rules to allow VLAN 110 to the internet. My only way it was working was with a Any -> Any rule in the VLAN110 tab.

    I have tried:

    Any -> WAN Subnet
    Any -> WAN Address

    Any as source in the VLAN 110 tab would mean any traffic that is comming from VLAN110 right?
    How can I block all traffic between each vlan except ICMP?
    If I want to allow SSH from VLAN110 to VLAN120 would I need to create a rule in the VLAN110 tab Any -> VLAN120 Subnet?

    Thanks a lot for the clearification.

  • Try this first:  (see bottom for more info)
    go to system–>advanced-->firewall/nat-->check "disable negate rules"
    any-->any + force the use of WAN-gateway instead of any gateway. (somewhere near the bottom when you edit a firewall rule)
    (reset states to test)

    If that does not work :
    block each vlan-subnet
    (reset states to test)

    Or update to the 2.1 Beta:
    the "disable negate rules" is allready implemented in 2.0.2 and newer.(i thought it was beta 2.1 only)
    see related post: http://forum.pfsense.org/index.php/topic,48143.0.html

  • I would create an alias that includes all the vlans except the one you want to access the internet.
    I'd then create a rule as such:

    Source: Vlan 110 subnet  |||  Destination: !ALIAS

    This means if the source is Vlan 110, and the destination is anything BUT the other vlans, permit traffic. If you want to allow ICMP, just make sure that rule is above the rule I typed.

  • Hi

    Thanks a lot for your answers. I have created an alias with all vlans except 110. Then I have created a rule to block everything from VLAN110 to the alias. After that I created a rule that allows everything from VLAN110 to any.

    This seems to work. Should be ok like this?

    ![Screen Shot 2013-01-17 at 20.21.56.png](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png)
    ![Screen Shot 2013-01-17 at 20.21.56.png_thumb](/public/imported_attachments/1/Screen Shot 2013-01-17 at 20.21.56.png_thumb)

  • That should work, but if you wanted to be a little more secure change the source from VLAN110net to any for the first rule. With how you have it set now somebody with a different IP on that interface still wouldn't be able to get out, but in the future if you change the way the rules are setup it's better to plan ahead.

    If you plan on using DHCP on that interface, you'll need to allow those without an IP to access the interface.

    How I have mine set up: