Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules on physical interface or on each VLAN

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 963 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bfts
      last edited by

      Dear Forum,

      First of all, I am not sure if this is for the "General Questions" section or should go into "Firewalling", please move if it fits better in the other section.

      I wonder what is the best way to set up my firewall rules with various VLANs in place?
      My WANs (WAN1, WAN3, WAN3) come in on the same physical IF (WAN), all my LANs (LAN1, LAN2, LAN3) come in on the same (but different to WAN) physical IF (LAN).

      So I wonder if I should put my rules on the "WAN" and "LAN" interfaces or on each "WAN1", "WAN2", "WAN3" and "LAN1", "LAN2", "LAN3" - this is as much for interface rules as for floating rules ?

      If it's the same, what would be considered best practice?

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        As in most things, it depends on what you're trying to accomplish.

        In many (most ?) scenarios, you setup VLANs to give yourself needed subnets without needing physical NICs in the pfSense box to attach the wires.
        You setup your switch(es) so that particular ports give you the different "NICs" you need for the wires.

        Once that's done and working, pfSense can treat those VLANs just like a physical interface.
        The one caveat is that you often (almost always) don't want anything to explicitly use the base LAN NIC (or WAN as well in your case).

        If you make sure that all your rules attach to VLANs and/or VWANs it will be much easier to figure out where you're traffic is going.

        If you tell us more about what you're trying to accomplish, we can give better suggestions

        -jfp

        1 Reply Last reply Reply Quote 0
        • B
          bfts
          last edited by

          Thanks for the answer.

          Yeah, mine is the case of less cables and less NICs  ;)

          I have an OfficeLAN, an InternetCafe(Style)LAN and a free WiFi on the VLANs.
          On the (V)WANs 3 different ADSL connections configured as MultiWAN.

          I am looking into some deeper firewalling with pfBlockerNG and Suricata/Snort.

          Most rules on the WAN side should be the same for all WANs, some rules on the LAN side will be the same too, so I was wondering if I can just select the physical WAN interface for those rules or if I should select all the (V)WANs when making those rules.
          So I guess it will keep things easier to troubleshoot if I keep the rules on each VLAN/VWAN interface.

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            So I guess it will keep things easier to troubleshoot if I keep the rules on each VLAN/VWAN interface.

            Given your description, I'd say that's the way to go.

            With your setup you can treat the VLAN NICs as if they were separate physical devices.

            Just pretend you have (6) physical NICS in your pfSense box and use the various hints and suggestions that apply to any multi-WAN, multi-LAN setup.
            For me , the toughest part of these setups is figuring what terminology the switch manufacturer is using in describing their VLAN configuration tools.
            After that, it's typically pretty cut and dried to setup the networks.

            -jfp

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              Your physical WAN and LAN interfaces are only the parents to your VLANs, right?
              Then you have to filter on the vWAN1/2/3 and vLAN1/2/3.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.