Block incoming traffic on pfSense

Hello, how can I setup rules to block incoming traffic to an interface on pfSense?

I am talking about interfaces other than the WAN interface. For example I may have a VLAN, say VLAN 10 and I want to block any incoming traffic from other interfaces/VLANS to VLAN 10.

I don’t want to have to go to each interface and create a rule neither use the floating rules.

Is there a way to create a rule on the VLAN 10 interface to drop incoming traffic?
If not, then what the the best way to do this?

Thank you in advance for your help,
Mike

I think you can do this with a simple deny on the interface/VLAN firewall rules, but with the source set to invert and as the interface/VLAN network.

Firewall rules on interfaces in pfSense always apply to traffic coming into that interface. What you are describing sounds like outgoing traffic, i.e. traffic comes in on another interface (say, VLAN 5, I’ll use this throughout my post) and is destined for VLAN 10. On the interface for VLAN 5, a rule will decide whether to “let the the traffic out” of the interface and continue on its route.

Therefore, by default, no traffic coming in on VLAN 5 (or any interface, really) can go to VLAN 10 because the default behavior is to drop traffic that is not explicitely allowed. That means if traffic can currently get from VLAN 5 to VLAN 10, there must be a rule on the VLAN 5 interface allowing that traffic (or a floating or interface group rule). In this case you should check your rules.

You probably have a rule to allow internet access for clients in VLAN 5. Depending on how you have set that up, this migt be where your misconfiguration is. If your rule is setup like pass from VLAN5_NET to *, i.e. with a wildcard destination, that includes the VLAN 10 net! What I like to do to go around this problem is to have an alias called “private_networks” which includes the following networks defined by the IETF:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
fd00::/8 

My “allow internet” rule is then defined as pass from VLAN5_NET to !private_networks, i.e. using the inverted alias as the destination. That allows clients to access the internet, but not any other local subnets.

Hi Paolo and thank you for the detailed answer. I wonder if this could be achieved:

VLAN 5: allow allow traffic to pass
VLAN10: Block traffic from select IP devices coming from VLAN5

Thanks.

Thank you Acestes for the answer.

Not entirely sure what you mean by “VLAN 5: allow allow traffic to pass”. What traffic are you refering to (i.e. from where to where)?

As I pointed out, any rules on the VLAN 10 interface will not apply to traffic coming into the firewall on VLAN 5. Interface rules always apply to incoming traffic only on that specific interface. Again, all traffic is blocked by default. So a potential rule that allows traffic from VLAN 5 to VLAN 10 must live on the VLAN 5 interface as that is the interface on which the traffic enters the firewall.

I believe what you are trying to do is to have a rule on VLAN 10 like drop from VLAN5_NET to VLAN10_NET. That will not work because there won’t be any traffic coming into the VLAN 10 interface with a VLAN 5 IP address as the source.

Hi Paolo, thank you again for the reply. You understood my question despite my lack of clarity.
I have used some firewalls where the rules control data “from any interface to any interface”. The pfSense paradigm is a little different. I wish there was a way to manage rules on pfSense like other firewalls.

Thanks again for your help.

Cheers. I guess you can sort of emulate that behaviour by using floating rules only. I don’t think that’s considered a best practice though.

This is actually standard practice for any firewall or routing capable device. Administrators often let themselves get hung up on interface tagging such as WAN and LAN, however those are just tags that are just applied for easy reference. At the basic level the firewall looks that the traffic coming into the interface and determines if it should allow, deny, or redirect the traffic. Which is why pfsense gives you a separate firewall tab per interface, because that is really how it works.

If someone knocks at your door as says I want to use your bathroom, to you let them enter your house and then tell them they are not allowed to enter the bathroom, or do you tell them no at the door?

Some firewalls will allow you to write the rule the way you suggested however that really only prevents vlan 10 from replying to vlan 5 requests not preventing vlan 5 from talking to vlan 10. This is a dangerous practice and can leave you vulnerable to redirect exploits etc.

Thank you Paolo. You are right, I will just stick to the way pfSense is. We have about 20 vLANs and growing and will be adding GRE over IPsec so the configuration and the rules are building up. Thanks again for your help.

Hi sdfungi, thank you for the explanation. If that is the gold standard then I will stick to that.

Take care.