Vlan rule with only internet no access to other vlans
-
Hi there,
How do i create a vlan rule that is for only internet?
-
i know i can do it like this:
https://calvin.me/block-traffic-vlan-pfsense/But issent there a other way? what if i have 1000 vlans?
-
Oh no! Maintaining a large firewall might be work!
If you can make the ruleset the same on every interface you can put them on an interface group.
If you can't you can probably script a config.xml and reload.
The gui will probably fall on its face with 1000 interfaces defined.
You might look into private VLANs at layer 2 if you're looking at isolating that many users.
-
So your first issue is taking advice from the idiot writing that guide..
"The network can communicate with itself." <rolleyes>
1000 vlans really?? Your running a network with a 1000 vlans but you have to ask how to isolate them? Sorry find that really really hard to believe.</rolleyes>
-
i have 3, but its not the point.
is there another guide how it is done correct?
-
So what traffic do you want to allow between these vlans? None? what do these vlans use for say dns? Pfsense via the IP in their vlan? Some internal dns? What about other services like ntp? Do these vlans access any services in your other vlans?
If all you want is pure internet access, or access outside your rfc1918 networks.. I am assuming you only use rfc1918 address space on your network..
Allow traffic to pfsense on the ports/protocols you want, say dns/icmp.. Then create a rule that says ! rfc1918 alias - there you go these vlans can only talk to the internet..
Here for example is my guest wlan network - I don't even let do anything on my networks other than ping its gateway pfsense IP in that interface. Dhcp is handed out by pfsense - but it hands it public dns, etc. So I let the devices on this vlan ping their gateway. First rule. I then block it from any IP on firewall (this blocks the public IP and just easy safe rule to put in when you don't want clients talking to your pfsense). Then last rules say client can go anywhere they want that is not rfc1918 space - ie the internet. Any any ports..
As to 3 vlans or 1000 - that is a HUGE difference and very important point. Since you have 3 if this took you more than like 1 minute to setup something is wrong.. Now if you need to mass deploy the same rules to massive vlans we can discuss that but you need to figure out the rules before you worry about how to deploy them.
-
when i make HOME_NET HOME_ADDRESS i lose internet why?
-
when i make HOME_NET HOME_ADDRESS i lose internet why?
When you make what HOME_NET HOME_ADDRESS ??
You're going to have to post what's actually working/not working. You're not providing enough information. This sounds like pretty basic pfSense firewall rule issues. You might want to try to sub-forum for your native language.
-
After a while i have figured internet cant contect because gateway in status gateways is showing offline:
Name Gateway Monitor RTT Loss Status Description
WAN_DHCP x.x.x.x x.x.x.x 0ms 100%
Offline
Last check:
Mon, 08 Feb 2016 22:44:22 +0100
Interface WAN_DHCP Gatewayhow do i fix this?
its my official internet ip that is showing as gatewaywhen it was online a little while ago everything was working like it should
-
The gateway shouldn't be your IP address. It should be the IP address of the next hop at the ISP.
-
The gateway shouldn't be your IP address. It should be the IP address of the next hop at the ISP.
hmm, sorry. it wassnt my ip. it is set as default to dynamic.
i loose my internett as soon as i change to vlan_address. dont know how to fix this?
-
No idea what to tell you as you aren't providing enough information.
-
Ok, what do you need to help me?
-
Managed to get it to work again.
Now there is a new problem. in a vlan i have a server and the nat loopback issnt working when activating ! rfc1918 from home vlan to server vlan
if i remove 192.168.99.0/24 from alias it works again
IPv4 TCP/UDP HOME net * 192.168.99.11 1716 - 1718 * none
Fixes the problem, but it should not be like that?
-
I would suggest you either work in forum with your native language… Or provide something for us to help you.
How about post up your rules - see example I posted.. And some understanding of your network.. What address space is in use, etc..
"if i remove 192.168.99.0/24 from alias it works again"
What alias?? That is not a network that should be in a rfc1918 alias.. How are using whatever alias in your rules?? POST THEM!!!
An alias called rfc1918 would with common sense based on the name contain the rfc1918 address space... Ie 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 -- you putting in 1 specific /24 network doesn't seem to fit the name of the alias.
As to nat loopback?? If your sending traffic back into a rfc1918 address and you BLOCK then well kind of no shit its going to be blocked huh!!
-
now after reboot second vlan is not working again on internet, can my problem be that pfsens runs on vmware esxi6?
HOME vlan han internet but SERVER vlan does not. se picures of rules.
also pfsense box: Unable to check for updates. tried to login to ssh and ping for internet, it anwears but uses about 5 seconds to start.
-
Your default pass rule on SERVERS is TCP-only. Make it protocol any.
Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.
-
So home is 192.168.1/24 and servers is 192.168.99/24?
If that is the case? Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.
If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..
Rules are processed top down!! First rule that fires wins and the rest of the rules are not even looked at..
On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..
-
Your default pass rule on SERVERS is TCP-only. Make it protocol any.
Your HOME rules are a perfect example why it is more logical and straightforward to BLOCK to rfc1918 then PASS to any instead of PASS to ! rfc1918. I would move rules 4 and 5 above the PASS ! rfc1918 rule.
thankyou. i almost tryied to reinstall and mabey even change pfsense out for a fortigate there. :)
Now everything works :)
-
So home is 192.168.1/24 and servers is 192.168.99/24?
If that is the case? Then rule 4 on home tab is completely pointless.. You do not talk to pfsense to talk to devices on your own network.
If its the other way, then rule 5 in that tab is pointless.. Either way you have to have rules that allow traffic above your ! rfc1918 rule..
Rules are processed top down!! First rule that fires wins and the rest of the rules are not even looked at..
On a side note forwarding traffic from public internet to 3389 (remote desktop) is normally a BAD idea!! Just saying that is not secure setup at all..
home is 192.168.5.1/24 and server is 192.168.99.1/24
but its so strange that i need rule 5 to make it work. Since i have nat 1716 and 1717
its not public network but my home network.