Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Explicit allow traffic to WAN from other interface?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 682 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Endosavian
      last edited by

      Hi!

      I want to do white-listing on my VLAN interfaces in pfsense. I.e. from VLAN1 i want to only allow some traffic to VLAN2. And from VLAN1 i want to allow all traffic to WAN(internet).

      How can i explicitly allow all  traffic to the internet from VLAN1 but not to i.e. VLAN2,3,4 etc?

      For now i have only come up with the following solution in the VLAN1 rules,
      1. Allow traffic from VLAN1 to VLAN2 on port X,Y,Z
      2. Block All traffic from VLAN1 to VLAN2
      3. Allow All traffic from VLAN1 to anywhere

      This is not correct white-listing since the last rule will allow traffic anywhere. If i in the future add VLAN3 i will need to explicit specify a blocking rule before #3 above (this can easily be missed, resulting in a security breach).

      So how can i make rule #3 i.e. Allow all traffic from VLAN1 to internet explicitly? ???

      Thanks!

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        If I got it right, the "not" checkbox should come in handy, as in destination is not vlan X.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          ^ exactly

          Your rule one is correct.  Rule 2 would be under that rule and would work.  But could just be replaced with allow vlan1 source to !vlan2 (! = NOT).

          When you add more segments, then you create an alias that contains the network you want to block and change the rule to be !aliasname.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • E
            Endosavian
            last edited by

            Sorry for the late response. Believe it or not but I had a Internet takeout at home lasting 2 days. One would not expect a 2 day outtake in Sweden 2014 0.o.

            Anyway your solution works brilliantly, thank you!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.