Vlan + pfSense: a question to understand
I configured a box with pfSense for home. It's connected to an access point where I have created 3 SSID that communicate with pfsense on 3 different vlan.
I noticed that the 2 unrestricted vlans (that is, with a full PASS rule) works without problems.
The third vlan was created to provide guest wifi: on this vlan I noticed a strange thing.
Each vlan has an IP address such as 192.168.X1 with dhcp enabled.
The first two have a full PASS rule, so everything works smoothly.
In the Guest VLAN, instead, I put the following 3 rules:
- PASS from WiFi_Guest network to the 2 DNS's addresses (OpenDNS)
- BLOCK from WiFi_Guest to LAN
- PASS from WiFi_Guest to the "outside" only for http/s ports
The thing I do not understand is that if I leave these 3 rules can NOT surf the internet, while if in Rule 1) I add the IP of the vlan itself (ie 192.168,X.1) I can navigate.
Since the vlan has an interface with the same IP, it should already exist an implicit PASS to allow the transit from the vlan to the IP address of its interface?
I would add that in "General Setup" in the DNS entry I set the two OpenDNS DNS. The two fields below ("Allow DNS …" and "Do not use DNS ....") are unflagged (disabled).
Thanks in advance to those who want to explain,
Are you passing the OpenDNS servers to clients via DHCP? If not clients will try to use the pfSense DNS forwarder at the wifi_guest address. Hence your experience with the 1st rule.
you are perfeclty right!
I have Dns forwarder enabled, and I've seen the description (under dhcp server -> Dns servers):
NOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
but I admit I didn't understand the full meaning: maybe that "dash" misleaded me…. :-[
Thanks again for your reply!!