Firewall VLANs

  • Howdy, I have setup a number of VLANs and accompanying layer 3 interfaces on pfSense. I want to use the firewalling features in pfSense to block and filter access in/out of each VLAN, but it doesn't appear to be working for me. As a simple test I put an SVI on my switch and then added rules for ICMP and SSH to the VLAN interface in pfSense and traffic flows just fine. When I disable or even delete those pass rules, I can still ping and SSH to my SVI. I even added an explicit block any ipv4 rule and I can still get into the VLAN from any other VLAN. What am I missing? Does inter vlan routing process and pass traffic before firewall rules are parsed?

  • LAYER 8 Netgate

    Be sure that the rules are on the proper interface. Imagine sitting inside of the pfSense box. Sure, it's a little crowded in there, but this can help. Imagine packets flying in from the different networks that the pfSense box ties together. The rules will be placed on the interface they entered from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still enter on the LAN. If a packet is coming from the Internet to the pfSense box, the rule goes on the WAN interface.

    Once a packet is allowed INTO pfSense, it, by default, is past all firewalling and is allowed out with no further rules.

    Firewall rules are processed when a session is started coming INTO an interface.  This means connections from your LAN computers to web pages, DNS servers, mail servers, etc., are handled by rules on your LAN interface.  If you have port forwards permitting connections from the internet inbound to local servers these go on your WAN interface.  This is the single concept that you need to grasp when designing your network at the start.

    So if you have LAN and DMZ and you want hosts on LAN to communicate with hosts on DMZ, but only want hosts on DMZ to be able to connect to the mail server on LAN on ports 25, 110, and 143 you would do this:

    ON LAN:
    pass ip any source LAN network dest DMZ network any

    OR, just a default any any rule for general internet access:

    pass ip any source LAN network dest any any

    (dest any will match DMZ network too)

    ON DMZ:
    pass ip tcp any source DMZ network dest mail_server port 25
    pass ip tcp any source DMZ network dest mail_server port 110
    pass ip tcp any source DMZ network dest mail_server port 143
    reject ip any source DMZ network dest LAN network any

  • Makes sense, I will give it a go. Thanks so much for your response, Derelict.

Log in to reply