Block lan from opt1, opt2, opt3, etc



  • Hi

    We have several (+25) Companies connected via VLAN's on OTP1, OPT2, etc.
    (OPT1 = VLAN ID 10 - 172.16.10.0, OPT2 = VLAN ID 20 - 172.16.20.0, ETC)

    How do we prevent that the different LAN's can see each other but still access the internet?
    (without making +25 NOT rules for each)

    Thanks.



  • Add a floating rule which blocks access to the whole 172.16.0.0/12 subnet. Check "Quick", select all your companies interfaces, any protocol and put 172.16.0.0/12 in destination field.


  • LAYER 8 Global Moderator

    Or just make an alias that that your networks in it or the rfc1918 space and on your allow rule for each interface use a ! alias as your dest that is allowed.



  • How do we prevent that the different LAN's can see each other but still access the internet?
    (without making +25 NOT rules for each)

    Another way that could run well, is to connect one Layer3 switch, to one port and then let the
    Switch route or not the VLANs and not the pfSense and over Switch ACLs you could also regulate
    the rights to go or not.

    Another one could be connecting a Layer2 Switch that is not routing between the VLANs and nothing
    must be done, because no one is then routing between them (VLANs).


Log in to reply