Rules on physical interface or on each VLAN
-
Dear Forum,
First of all, I am not sure if this is for the "General Questions" section or should go into "Firewalling", please move if it fits better in the other section.
I wonder what is the best way to set up my firewall rules with various VLANs in place?
My WANs (WAN1, WAN3, WAN3) come in on the same physical IF (WAN), all my LANs (LAN1, LAN2, LAN3) come in on the same (but different to WAN) physical IF (LAN).So I wonder if I should put my rules on the "WAN" and "LAN" interfaces or on each "WAN1", "WAN2", "WAN3" and "LAN1", "LAN2", "LAN3" - this is as much for interface rules as for floating rules ?
If it's the same, what would be considered best practice?
Thanks
-
As in most things, it depends on what you're trying to accomplish.
In many (most ?) scenarios, you setup VLANs to give yourself needed subnets without needing physical NICs in the pfSense box to attach the wires.
You setup your switch(es) so that particular ports give you the different "NICs" you need for the wires.Once that's done and working, pfSense can treat those VLANs just like a physical interface.
The one caveat is that you often (almost always) don't want anything to explicitly use the base LAN NIC (or WAN as well in your case).If you make sure that all your rules attach to VLANs and/or VWANs it will be much easier to figure out where you're traffic is going.
If you tell us more about what you're trying to accomplish, we can give better suggestions
-
Thanks for the answer.
Yeah, mine is the case of less cables and less NICs ;)
I have an OfficeLAN, an InternetCafe(Style)LAN and a free WiFi on the VLANs.
On the (V)WANs 3 different ADSL connections configured as MultiWAN.I am looking into some deeper firewalling with pfBlockerNG and Suricata/Snort.
Most rules on the WAN side should be the same for all WANs, some rules on the LAN side will be the same too, so I was wondering if I can just select the physical WAN interface for those rules or if I should select all the (V)WANs when making those rules.
So I guess it will keep things easier to troubleshoot if I keep the rules on each VLAN/VWAN interface. -
So I guess it will keep things easier to troubleshoot if I keep the rules on each VLAN/VWAN interface.
Given your description, I'd say that's the way to go.
With your setup you can treat the VLAN NICs as if they were separate physical devices.
Just pretend you have (6) physical NICS in your pfSense box and use the various hints and suggestions that apply to any multi-WAN, multi-LAN setup.
For me , the toughest part of these setups is figuring what terminology the switch manufacturer is using in describing their VLAN configuration tools.
After that, it's typically pretty cut and dried to setup the networks. -
Your physical WAN and LAN interfaces are only the parents to your VLANs, right?
Then you have to filter on the vWAN1/2/3 and vLAN1/2/3.
