Trouble with outbound traffic with vlans



  • I am setting up pfsense to replace our current firewall and have some trouble with outbound traffic with public and private address. I can get inbound traffic with the firewall setup but I can’t get anything outbound that is coming from the servers. I attached some screen shots, am I missing something?

    I do need to block traffic that is not included in the firewall configs from one vlan to the other.




  • If I understand this right you have public IPs in vlan4 and vlan5 and just want to route without doing NAT? Did you enable advanced outbound NAT already to shut down the default outbound natting for these vlans?



  • That is correct we have public address on vlan 4 & 5  and port forward on vlan65 to a private address. I have enabled Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)) selected and the only mapping is for the LAN network.

    Thanks

    Rick



  • I think i got it. I disabled and re-enabled and it started working.

    Second question.

    I think that I did the firewall rules wrong. I did the firewall rules on the vlans instead of the WAN. If I place the rules on the wan instead of the vlans will the other vlans have access to each other?



  • firewall rules apply always on incoming traffic, so if you want to block traffic from vlan4 to vlan5 the rules for this have to go to the vlan4 tab for example.



  • Thanks for your response.

    I think that I have everything working now. But I just want to see if this was the best way to do this. It was a little hard to test all of this in the lab before I replaced our last firewall software.

    I have all of the rules for the inbound traffic to specified ports and network alias for the vlans on the wan interface, including port fowarding rule . Placed rules on the vlan interfaces to allow traffic on specified ports from one vlan to another. Placed a rules on each vlan that uses public address to allow traffic out to the internet ( rule:  allow any from vlan network except if “alias” of all the vlans.) entered outbound nat mapping for all of the private range vlans

    Does this sound accurate?

    Thanks for your help!

    Rick



  • Yes, I think you got it right now :)


Locked