Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking routing (and all traffic) between two LAN's?

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jcpro
      last edited by

      Hi all,

      I've got one of OVH's dedicated cloud clusters running ESXi 6.0.
      Along with the default installation they provide to the customer (me) they have setup a few Virtual Port Groups that are essentially their own switches that don't communicate with each other. OVH have labelled the Port Groups LAN5000, LAN5001, LAN5002 etc if you're familiar.

      I have pfSense 2.3 configured with virtual NIC's connected to each of these Virtual Port Groups.
      I've discovered that hosts connected to each Port Group can ping each other when they are configured to receive an IP from pfSenses DHCP server.  When hosts are configured with static IP's they cannot communicate with each other so it appears pfSense is allowing routing between the LAN's.

      How do I configure firewall rules to prevent hosts from communicating with one another if they are connected to these different Port Groups but still allow them to see the internet?

      I looked at implementing VLAN's but OVH don't actually give me permission to modify some of the network level elements that they have provided within ESXi 6.0 and to be honest I'm not sure if VLAN's are entirely necessary if I can accomplish the same thing with firewall rules.  I could be entirely wrong on this and maybe VLAN's are what I'm supposed to be using in this scenario but I'm lacking knowledge in this regard.

      This is an overly simplistic diagram of the pfSense environment:

      
      WEB - WAN
               \- LAN1 - Hosts
               \- LAN2 - Hosts
               \- LAN3 - Hosts
               \- LAN4 - Hosts
               \- LAN5 - Hosts
      
      
      1 Reply Last reply Reply Quote 0
      • H
        Hugovsky
        last edited by

        @jcpro:

        How do I configure firewall rules to prevent hosts from communicating with one another if they are connected to these different Port Groups but still allow them to see the internet?

        Use gateway in the rules.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          So what are you networks on these connections? example

          lan 1, 192.168.1.0/24
          lan 2, 192.168.2.0/24
          lan 3, 192.168.3.0/24

          So on those interfaces for each lan create rules that block access to the other networks.  You could do it all in 1 rule, you could do it in individual rules..

          So I am guessing you have any any rules on these interfaces?  So above the any any rule place a block rule for the source of that network and where you don't want it to go.

          So source would be lan1 net, dest would be lan2 net block.. etc..  Or just create an alias with your networks in it and use that alias in the block..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • J
            JasonJoel
            last edited by

            For instance, on my guest wifi VLAN interface I have a IP4 allow any rule at the bottom of the rule list, and above that I have a rule like this to block any of those devices from connecting to my main home lan:

            Type                BLOCK
            Protocol         IPv4
            Source         GUEST_WIFI net
            Port                 *
            Destination LAN net
            Port                 *
            Gateway         *
            Queue         none
            Schedule        
            Description Reject GUEST_WIFI to LAN

            1 Reply Last reply Reply Quote 0
            • J
              jcpro
              last edited by

              @johnpoz:

              So what are you networks on these connections? example

              lan 1, 192.168.1.0/24
              lan 2, 192.168.2.0/24
              lan 3, 192.168.3.0/24

              LAN1 - 192.168.100.0/24
              LAN2 - 192.168.101.0/24
              LAN3 - 192.168.102.0/24

              So on those interfaces for each lan create rules that block access to the other networks.  You could do it all in 1 rule, you could do it in individual rules..

              So I am guessing you have any any rules on these interfaces?  So above the any any rule place a block rule for the source of that network and where you don't want it to go.

              So source would be lan1 net, dest would be lan2 net block.. etc..  Or just create an alias with your networks in it and use that alias in the block..

              I got it working but I'm really unsure if this is a best practice way to accomplish this, essentially I created aliases for every LAN network excluding the network I want to apply the rule to as shown below:

              Then I added a block rule above the 'allow any any' rule so things look like this now and this seems to have accomplished what I need:

              1 Reply Last reply Reply Quote 0
              • J
                JasonJoel
                last edited by

                I would typically just use the network definitions already available on an interface and use one rule per network instead of making an alias, but that works too.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  simple solution if you don't want these vlans to talk to any other vlans you have is to just create a rf1918 alias that contains all the rfc1918 space 192.168/16, 10/18, 172.16/12 and then just using that in your rule as either block or allow if ! rfc1918 (not).. I do this for example with my guest wifi network.

                  So you see I allow ping to pfsense, then block all access to any IP of pfsense.. This rule is nice because it even blocks access to wan IP..  And then have allow that says hey as long as your not going to rfc1918 space your allowed.  So this allows access to internet, but prevent any access to any other of my networks.

                  If I wanted to allow something you can just put an allow about.. Say for example on my wlan segment (my wifi devices) allow access to my plex box, my harmony hum and dvr, ntp etc..  But then I again block it from talking to any IP on the firewall other than dns and ping.  Then at the end allow them to go where ever they want as long as not any of my other rfc1918 networks..  Keep in mind this also blocks them talking to any my vpn connections, but vpn connections are allow to create connection to them..

                  blockothervlans.png
                  blockothervlans.png_thumb
                  block.png
                  block.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.