Firewall Rules with VLANs and diffrent permissions



  • Hey Guys,

    we are planning to use the pfSense for our new Network.
    We want to get some structure into it and decided to configure a lot of VLANs (nearly 80 VLANs with some Spare VLAN).

    In our testing Network I've run into a major problem with the Firewallengine of pfSense.

    Here is the scenario:

    VLAN10 Admins
    VLAN20 Clients
    VLAN30 Server
    VLAN40 Printer

    VLAN10 has access to any VLAN and Internet
    VLAN20 has access to VLAN30 and 40 and Internet
    VLAN30 has acces to VLAN40 and some Servers on the Internet
    VLAN40 has no direct Access to any Network.

    Since the pfSense understands WAN net as the Subnet on the WAN Interface (!= this is not the Internet), i've to give VLAN20 as Destination "ANY" to let em out to Internet.
    How can i shrink the rights?
    The only way i have found is to setup some Block rules bevor the "VLAN 20 -> ANY" rule.
    In my Little Scenario it's not a big act. But when i come to the real life scenario, it is so much overhead to shrink it.

    I would be happy, if someone has a tip for me.

    Thanks,

    Matthias



  • Yes, you have to put some block rules before the general "pass all to the internet" rule.
    You can use Aliases to reduce the number of rules - and there are plenty of combinations of ways you can do it. e.g.

    1. Make an Alias for all the local subnets, perhaps even just put the whole RFC1918 private address space - e.g. call it "AllLocalStuff"
    2. Make an Alias for any special subnets like "Printers" or "Servers" that you want to give access to from some places.
    3. On each VLAN rules put:
      a) The positive local stuff that it should get access to, with pass rules.
      b) A block for destination "AllLocalStuff"
      c) Pass for the general internet

    You can even combine (b) and © by putting "pass to destination !AllLocalStuff"

    So for most cases you can have just 2 or 3 rules on each VLAN and still achieve the requirements.



  • Hi Phil,

    thanks for your advice.
    As i see, i don't have any other option to realize my idea but to add aliases and rules to the FW.



  • You can also use floating rules for rules that you want to apply to many interfaces - you just have to think about the rule processing order with and without "quick".
    https://doc.pfsense.org/index.php/What_are_Floating_Rules
    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order


Log in to reply