• Hi All.

    Fresh newbie here. Been googling and search forums, but might be so new I'm looking in the wrong places. So, here goes:

    Following some tutorials I've succeeded in installing pfsense (on a two NIC machine) and configuring not only the LAN and WAN interfaces but VLAN10 and VLAN20. The "parent" of the two VLANs is the LAN interface and they're all associated with the em1 NIC card. This NIC is connected via a VLAN trunk line to a managed switch. The LAN, VLAN10, and VLAN20 interfaces are on the 192.168.1.0/24, 192.168.10.0/24, and 192.168.20/24 subnets respectively and they all have the appropriate DHCP services. I've confirmed that client PCs connecting via the different VLANS are served the appropriate IP address and Gateway.

    Using a simple (and obviously too liberal) firewall rule I've given the VLANs connectivity – see attached. I've confirmed that LAN, VLAN10, and VLAN20 all have internet connectivity (WAN connected to my ISP).

    So, after that long-winded introduction, here's the question. What are the correct firewall rules to:

    1. Give VLAN10 and VLAN20 internet connectivity while totally isolating them from LAN and each other.

    2. Block clients on VLAN10 or VLAN20 from accessing the pfsense configuration page by typing the Gateway IP address in to their browser (i.e. 192.168.10.1 or 192.168.20.1).

    If this topic is already covered somewhere, please just supply a pointer.

    Thanks.

    Greg



  • @gfvalvo:

    1. Give VLAN10 and VLAN20 internet connectivity while totally isolating them from LAN and each other.

    A: Create two drop/block rules at or near the top of your rules for each of the LAN, VLAN10 and VLAN20 networks. Set the source in each as the local network you're coming from (LAN, VLAN…) and the destination in each as the other two VLANs. For instance, in your LAN rules create two drop rules with source LAN in each and destinations VLAN10 and VLAN20. Better still, create an alias with VLAN10 and VLAN20 as members and create one drop rule with source LAN and destination 'alias-name'. Remember rules are applied from the top down, so make sure these drop rules appear before your more permissive rules.

    @gfvalvo:

    2. Block clients on VLAN10 or VLAN20 from accessing the pfsense configuration page by typing the Gateway IP address in to their browser (i.e. 192.168.10.1 or 192.168.20.1).

    If this topic is already covered somewhere, please just supply a pointer.

    Pointer: https://doc.pfsense.org/index.php/Restrict_access_to_management_interface