Idiot Check - Am I thinking about disabling inter VLAN correctly? *fixed*



  • At my company, we use PFSense a whole ton at temporary events. We've upgraded the number of VLAN's that we use from 14 to 39 this year, plus management LAN.

    In an attempt to shorten my rules list per interface, I made an Alias called "RFC1918" that blocks all 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 addresses. I want to make sure that users on VLAN 10 can't get to VLAN 20 and whatnot, but I don't really want to make 1500+ rules between all of the interfaces.

    My current rule structure per VLAN is as followed:

    | P/B | Proto | Source | Port | Destination | Port | Gateway | Description |
    | Pass | IPv4 TCP/UDP | Respective VLAN Net | * | Respective VLAN Address | * | * | Pass | VLAN to GW |
    | Block | IPv4 TCP/UDP | Respective VLAN Net | * | RFC1918 | * | * | Block | VLAN to RFC1918 |
    | Pass | IPv4 TCP/UDP | Respective VLAN Net | * | * | * | MultiWanGateway | Pass | Internet |

    Does this make sense? I've tested it any everything works just fine in the lab, but I just keep looking at it like I'm missing something obvious.

    Also, my workaround for "I need a printer on that other network" is to create an exception pass rule above the block RFC1918 to the other VLAN.

    Thanks in advance!

    update - Thanks johnpoz!


  • Rebel Alliance Global Moderator

    that looks correct to me… Yeah I use the same sort of thing blocking rfc1918 for my dmz..

    I let clients ping pfsense IP on that segment, I let them use dns to pfsense.  But then make sure they can not even get to the pfsense wan IPs.  And log any access attempts to pfsense IPs.  Then let them go anywhere as long as not rfc1918 alias, and then another ipv6 alias that has my he /48 and 64 in the ipv6 local alias.

    But yeah that looks like very simple easy rules to implement and understand.




  • Awesome, thank you for that! Glad to know I'm not entirely dumb  ;)



  • So if I understand this correctly,

    You have an alias consisting of:

    10.0.0.0        -   10.255.255.255  (10/8 prefix)
    172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
    192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
    

    Then from one vlan you block access to the alias but allow it to be a gateway to the world. This would then segregate the network and keep each vlan independant. Does each vlan have many nodes on it, or do you also only allow a few nodes, and in this way isolate individual nodes for security?

    It seems like this would be a great way to keep many different untrusted systems from infecting each other on the same network. Is this the primary use case?

    What other ways can this be used?

    You turn on a light and now I want to see where I can go.  ;D


  • Rebel Alliance Global Moderator

    "t seems like this would be a great way to keep many different untrusted systems from infecting each other on the same network"

    pfsense or any gateway has nothing to do with traffic between devices on the same vlan.  If you don't want devices talking to each other on the same vlan then you need to use private vlans at the switch level.

    http://www.cisco.com/c/en/us/tech/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/index.html

    But yes if you have a network of devices that have no real need to talk to each other - say a school for example, or say a hotel or even a internet cafe where people just want wired internet connectivity.  If they want to play a game with other users then they would need to connect to a community vlan.



  • @jc2it:

    So if I understand this correctly,

    You have an alias consisting of:

    10.0.0.0        -   10.255.255.255  (10/8 prefix)
    172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
    192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
    

    Then from one vlan you block access to the alias but allow it to be a gateway to the world. This would then segregate the network and keep each vlan independant. Does each vlan have many nodes on it, or do you also only allow a few nodes, and in this way isolate individual nodes for security?

    It seems like this would be a great way to keep many different untrusted systems from infecting each other on the same network. Is this the primary use case?

    What other ways can this be used?

    You turn on a light and now I want to see where I can go.  ;D

    My main use case is that I deploy pfSense in temporary event scenarios. I have my standard config that I tweak per the client's requests of "Hey, I want group 1 and group 2 to both be on the network but I don't want all the Apple computers to see each other between the two groups (Bonjour being the culprit usually)" or basic printer access between multiple VLAN's. The past year we ran 14 VLAN's and had individual "10 can't go to 11," "10 can't go to 12," and "11 can't go to 10," "11 can't go to 12" but for 14 VLANs. Annoying, but not a huge deal.

    Welp, we moved up to 40 VLAN's this year and I just didn't want to create 1500+ rules between the interfaces so figured this would be quite a bit easier :) Even if I need to pass a printer between different VLAN's, I just need to add 1 additional rule between my "Pass Gateway" and "Block RFC1918" rules and I'm all set!

    As far as client isolation, the best I can suggest for that is