Vlan rule with only internet no access to other vlans


  • LAYER 8 Global Moderator

    So what traffic do you want to allow between these vlans?  None?  what do these vlans use for say dns?  Pfsense via the IP in their vlan?  Some internal dns?  What about other services like ntp? Do these vlans access any services in your other vlans?

    If all you want is pure internet access, or access outside your rfc1918 networks.. I am assuming you only use rfc1918 address space on your network..

    Allow traffic to pfsense on the ports/protocols you want, say dns/icmp.. Then create a rule that says ! rfc1918 alias - there you go these vlans can only talk to the internet..

    Here for example is my guest wlan network - I don't even let do anything on my networks other than ping its gateway pfsense IP in that interface.  Dhcp is handed out by pfsense - but it hands it public dns, etc.  So I let the devices on this vlan ping their gateway.  First rule.  I then block it from any IP on firewall (this blocks the public IP and just easy safe rule to put in when you don't want clients talking to your pfsense).  Then last rules say client can go anywhere they want that is not rfc1918 space - ie the internet. Any any ports..

    As to 3 vlans or 1000 - that is a HUGE difference and very important point. Since you have 3 if this took you more than like 1 minute to setup something is wrong..  Now if you need to mass deploy the same rules to massive vlans we can discuss that but you need to figure out the rules before you worry about how to deploy them.




  • when i make HOME_NET HOME_ADDRESS i lose internet why?


  • LAYER 8 Netgate

    @telvenes:

    when i make HOME_NET HOME_ADDRESS i lose internet why?

    When you make what HOME_NET HOME_ADDRESS ??

    You're going to have to post what's actually working/not working. You're not providing enough information. This sounds like pretty basic pfSense firewall rule issues. You might want to try to sub-forum for your native language.



  • After a while i have figured internet cant contect because gateway in status gateways is showing offline:

    Name Gateway Monitor RTT Loss Status Description
    WAN_DHCP x.x.x.x x.x.x.x 0ms 100%
    Offline
    Last check:
    Mon, 08 Feb 2016 22:44:22 +0100
    Interface WAN_DHCP Gateway

    how do i fix this?
    its my official internet ip that is showing as gateway

    when it was online a little while ago everything was working like it should


  • LAYER 8 Netgate

    The gateway shouldn't be your IP address. It should be the IP address of the next hop at the ISP.



  • @Derelict:

    The gateway shouldn't be your IP address. It should be the IP address of the next hop at the ISP.

    hmm, sorry. it wassnt my ip. it is set as default to dynamic.

    i loose my internett as soon as i change to vlan_address. dont know how to fix this?


  • LAYER 8 Netgate

    No idea what to tell you as you aren't providing enough information.



  • Ok, what do you need to help me?



  • Managed to get it to work again.

    Now there is a new problem. in a vlan i have a server and the nat loopback issnt working when activating ! rfc1918 from home vlan to server vlan

    if i remove 192.168.99.0/24 from alias it works again

    IPv4 TCP/UDP HOME net * 192.168.99.11 1716 - 1718 * none

    Fixes the problem, but it should not be like that?


  • LAYER 8 Global Moderator

    I would suggest you either work in forum with your native language… Or provide something for us to help you.

    How about post up your rules - see example I posted..  And some understanding of your network.. What address space is in use, etc..

    "if i remove 192.168.99.0/24 from alias it works again"

    What alias??  That is not a network that should be in a rfc1918 alias.. How are using whatever alias in your rules??  POST THEM!!!

    An alias called rfc1918 would with common sense based on the name contain the rfc1918 address space... Ie 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 -- you putting in 1 specific /24 network doesn't seem to fit the name of the alias.

    As to nat loopback??  If your sending traffic back into a rfc1918 address and you BLOCK then well kind of no shit its going to be blocked huh!!



  • now after reboot second vlan is not working again on internet, can my problem be that pfsens runs on vmware esxi6?

    HOME vlan han internet but SERVER vlan does not. se picures of rules.

    also pfsense box: Unable to check for updates.  tried to login to ssh and ping for internet, it anwears but uses about 5 seconds to start.









  • LAYER 8 Netgate

    Your default pass rule on SERVERS is TCP-only. Make it protocol any.

    Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.


  • LAYER 8 Global Moderator

    So home is 192.168.1/24 and servers is 192.168.99/24?

    If that is the case?  Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.

    If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..

    Rules are processed top down!!  First rule that fires wins and the rest of the rules are not even looked at..

    On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..



  • @Derelict:

    Your default pass rule on SERVERS is TCP-only. Make it protocol any.

    Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.

    thankyou. i almost tryied to reinstall and mabey even change pfsense out for a fortigate there. :)

    Now everything works :)



  • @johnpoz:

    So home is 192.168.1/24 and servers is 192.168.99/24?

    If that is the case?  Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.

    If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..

    Rules are processed top down!!  First rule that fires wins and the rest of the rules are not even looked at..

    On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..

    home is 192.168.5.1/24 and server is 192.168.99.1/24

    but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717

    its not public network but my home network.



  • here is nat







  • LAYER 8 Netgate

    home is 192.168.5.1/24 and server is 192.168.99.1/24

    but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717

    its not public network but my home network.

    It is not strange at all. Your port forward is on WAN, not on HOME.

    In order to pass traffic from HOME to SERVERS you need a rule on HOME that passes such traffic.


  • LAYER 8 Global Moderator

    ok then if 192.168.1/24 is one of your other networks then that rule makes sense.

    Too early for me I guess, It looked like your were creating a rule for the local network to the local network.  But you are forwarding 3389 in from your wan, which is internet… Is it not??  So your wan is only your own local network?? As long as public internet can not get to 3389 then your sure..



  • @Derelict:

    home is 192.168.5.1/24 and server is 192.168.99.1/24

    but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717

    its not public network but my home network.

    It is not strange at all. Your port forward is on WAN, not on HOME.

    In order to pass traffic from HOME to SERVERS you need a rule on HOME that passes such traffic.

    I want to pass traffic to internet. my services is awailable on the internet



  • @johnpoz:

    ok then if 192.168.1/24 is one of your other networks then that rule makes sense.

    Too early for me I guess, It looked like your were creating a rule for the local network to the local network.  But you are forwarding 3389 in from your wan, which is internet… Is it not??  So your wan is only your own local network?? As long as public internet can not get to 3389 then your sure..

    there are some webservers with some sites on some vlans.


Log in to reply