Explicit allow traffic to WAN from other interface?



  • Hi!

    I want to do white-listing on my VLAN interfaces in pfsense. I.e. from VLAN1 i want to only allow some traffic to VLAN2. And from VLAN1 i want to allow all traffic to WAN(internet).

    How can i explicitly allow all  traffic to the internet from VLAN1 but not to i.e. VLAN2,3,4 etc?

    For now i have only come up with the following solution in the VLAN1 rules,
    1. Allow traffic from VLAN1 to VLAN2 on port X,Y,Z
    2. Block All traffic from VLAN1 to VLAN2
    3. Allow All traffic from VLAN1 to anywhere

    This is not correct white-listing since the last rule will allow traffic anywhere. If i in the future add VLAN3 i will need to explicit specify a blocking rule before #3 above (this can easily be missed, resulting in a security breach).

    So how can i make rule #3 i.e. Allow all traffic from VLAN1 to internet explicitly? ???

    Thanks!



  • If I got it right, the "not" checkbox should come in handy, as in destination is not vlan X.


  • LAYER 8 Global Moderator

    ^ exactly

    Your rule one is correct.  Rule 2 would be under that rule and would work.  But could just be replaced with allow vlan1 source to !vlan2 (! = NOT).

    When you add more segments, then you create an alias that contains the network you want to block and change the rule to be !aliasname.



  • Sorry for the late response. Believe it or not but I had a Internet takeout at home lasting 2 days. One would not expect a 2 day outtake in Sweden 2014 0.o.

    Anyway your solution works brilliantly, thank you!


Log in to reply