Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules with VLANs and diffrent permissions

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 632 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mbrogies
      last edited by

      Hey Guys,

      we are planning to use the pfSense for our new Network.
      We want to get some structure into it and decided to configure a lot of VLANs (nearly 80 VLANs with some Spare VLAN).

      In our testing Network I've run into a major problem with the Firewallengine of pfSense.

      Here is the scenario:

      VLAN10 Admins
      VLAN20 Clients
      VLAN30 Server
      VLAN40 Printer

      VLAN10 has access to any VLAN and Internet
      VLAN20 has access to VLAN30 and 40 and Internet
      VLAN30 has acces to VLAN40 and some Servers on the Internet
      VLAN40 has no direct Access to any Network.

      Since the pfSense understands WAN net as the Subnet on the WAN Interface (!= this is not the Internet), i've to give VLAN20 as Destination "ANY" to let em out to Internet.
      How can i shrink the rights?
      The only way i have found is to setup some Block rules bevor the "VLAN 20 -> ANY" rule.
      In my Little Scenario it's not a big act. But when i come to the real life scenario, it is so much overhead to shrink it.

      I would be happy, if someone has a tip for me.

      Thanks,

      Matthias

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Yes, you have to put some block rules before the general "pass all to the internet" rule.
        You can use Aliases to reduce the number of rules - and there are plenty of combinations of ways you can do it. e.g.

        1. Make an Alias for all the local subnets, perhaps even just put the whole RFC1918 private address space - e.g. call it "AllLocalStuff"
        2. Make an Alias for any special subnets like "Printers" or "Servers" that you want to give access to from some places.
        3. On each VLAN rules put:
          a) The positive local stuff that it should get access to, with pass rules.
          b) A block for destination "AllLocalStuff"
          c) Pass for the general internet

        You can even combine (b) and © by putting "pass to destination !AllLocalStuff"

        So for most cases you can have just 2 or 3 rules on each VLAN and still achieve the requirements.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M Offline
          mbrogies
          last edited by

          Hi Phil,

          thanks for your advice.
          As i see, i don't have any other option to realize my idea but to add aliases and rules to the FW.

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            You can also use floating rules for rules that you want to apply to many interfaces - you just have to think about the rule processing order with and without "quick".
            https://doc.pfsense.org/index.php/What_are_Floating_Rules
            https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.