Firewall organisation AKA incoming firewall rules per VLAN



  • Hi all,

    I have searched the KB, Manual and google and haven't come up with any hits for this question, so please forgive me if this is a repeat question.

    I basically wanted to set INCOMING firewall rules per VLAN. At the moment we have set all firewall rules in the WAN interface, which works beautifully, however it is beginning to become a bit of a brain screw, with many entries etc.. etc…

    I know you can set OUTGOING rules per VLAN but haven't been able to set INCOMING rules per VLAN.
    I have a feeling it is possible, just the GUI doesn't reveal any of the option to you. This ability would be ideal as I wont be replicating rules over and over again for different subnets.

    Current setup is multiple subnets routed to firewall IP, each subnet given its own LAN interface and VLAN. Incoming allow rules set on WAN.

    Does anyone have any experience with setting this up or any suggestions? Is this even possible?

    Thanks for your time and assistance.



  • http://forum.pfsense.org/index.php/topic,7001.0.html

    You kind of missunderstood how the firewall rules on pfSense work.
    It's NOT POSSIBLE to set outbound firewall rules.
    All rules are always inbound active.

    Meaning all your rules on the WAN affect only traffic comming in on the WAN.
    All rules you created there regarding the other interfaces are useless.



  • Hi Gruens,

    Thanks for the reply, I did get it wrong thanks for pointing that out.

    The situation is that we can have to set all the inbound firewall rules on the WAN interface, but would much rather move the rules "backwards" a step by allowing all traffic through on the WAN and having firewall rules per VLAN.
    That way we can just plonk new servers/subnets into the relevant VLAN and it inherits all the rules without us having to add rules for each subnet individually.

    Hope this makes sense and I hope someone has a bright idea on how to get this working ;)


Log in to reply