Multiple VLANs and 1 WAN question



  • Hello all-

    This may be super basic, but I'm scratching my head…

    I have multiple VLAN's that I want to isolate from each other, but allow them access to the WAN for internet.  I figured a rule for source/dest within the VLAN, and another rule for source VLAN to dest WAN would work, but no such luck.

    Help a newbie out....Thanks in advance!  :o


  • LAYER 8 Netgate

    You want something like this:

    It's OK that the guest network is listed in the local_nets alias because it will never be used for traffic coming IN the GUEST interface.  This allows you to make one alias containing all your local networks and apply them to all the networks you want isolated.

    And don't forget any VPN networks you don't want them to access.

    I believe 2.2 will have an automatic alias for this "Local nets" or something just like "LAN net" "OPT1 net" etc.

    ![Screen Shot 2014-09-14 at 11.28.38 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.28.38 AM.png)
    ![Screen Shot 2014-09-14 at 11.28.38 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.28.38 AM.png_thumb)
    ![Screen Shot 2014-09-14 at 11.29.35 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.29.35 AM.png)
    ![Screen Shot 2014-09-14 at 11.29.35 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.29.35 AM.png_thumb)
    ![Screen Shot 2014-09-14 at 11.29.45 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.29.45 AM.png)
    ![Screen Shot 2014-09-14 at 11.29.45 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.29.45 AM.png_thumb)
    ![Screen Shot 2014-09-14 at 11.30.44 AM.png](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.30.44 AM.png)
    ![Screen Shot 2014-09-14 at 11.30.44 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-14 at 11.30.44 AM.png_thumb)



  • Awesome!  Thanks for the tip….I'll give it a shot later today.  ;D



  • Haven't had a chance to try this yet….Just thinking out loud.  If I want each VLAN/subnet to have access to its own VLAN/subnet, then I'd need to make up an blocked list for each VLAN.  Thanks a whole lotta rules to create in a heavily VLANd network.  :o  Oh well....I guess that's why we make the big bucks!

    Thanks again for the alias tip though...That was a big help.


  • LAYER 8 Netgate

    No.  When a VLAN is talking to it's own VLAN it does NOT have to use pfSense at all (except for DHCP, DNS, etc) DHCP is always permitted and I explicitly pass DNS in those rules.

    On LAN, having a "block any from LAN net to LAN net any" does nothing so you only need one alias and you can use it on all your firewalled interfaces.

    ETA: It does block traffic to LAN address, so you do need to pass DNS, etc, if necessary just to be perfectly clear.



  • Perrrrrrrrrrrrrrrfect!  Thanks!  ;D


Log in to reply