Disallowing traffiic from LAN to VLAN on the VLAN rules

I am using pfSense and I basically want to deny LAN traffic to my VLAN (CCTV 80). I can accomplish this by making this rule shown below and that blocks traffic to a camera existing on the VLAN as confirmed by not being able to ping it (and pinging it when the rule is disabled)

However, I think it would be more efficient and remove the clutter if I just set up the necessary block on the CCTV rules page (I will add more rules for exceptions etc.)

So when I disable the following block rule above and put it in the CCTV rules page,

I can still ping devices existing on the VLAN network from the LAN network.

I am thinking that the cause could be from this rule on the LAN side,

where it allows all traffic to any from LAN net. I don’t know if I would just have to make this LAN net to WAN and LAN only but I don’t want to screw anything up just in case.

Any ideas?

Thank you.

No rule that you put in the tab for CCTV will have any effect on what hosts in the LAN network can or cannot do. The way pfSense filtering works is that the rules in the individual tabs are matched against traffic coming into the respective network. Only the rules in the LAN tab will be applied to traffic that comes from a node in the LAN network. Which is a long way of saying that the rule in your second picture is useless.

You are correct in assuming that the highlighted line in the third picture is responsible for allowing traffic from the LAN network to reach hosts inside the CCTV network. In fact, that rule states that traffic from the LAN network destined for any IP address is accepted (that of course includes other local networks).

Unless you really intended that, I would strongly advise to get rid of that rule. The far more likely scenario is that you want to allow internet access for hosts in the LAN network, meaning access to any network that is not a local network. The way I do that and believe is the most common approach, is to create an alias for local networks like so:

Then, instead of the default allow rule, create a rule that allows traffic to all destinations except local networks (by choosing the alias as the destination and ticking the “Invert match” checkbox). Remember that pfSense blocks all traffic by default (= if there is no matching rule that allows it). So you probably want to avoid using deny rules altogether. Generally, whitelisting is preferred over blacklisting.

Thanks for the detailed reply, for now I just want hosts in the LAN network to access other hosts in LAN and the internet. I gather if I make an alias for just the CCTV network, and allow traffic from LAN net to ! CCTV alias, I can just make a rule above that to allow specific hosts from LAN to access the CCTV net?

Yes, but remember that that rule will also allow access to all other local networks, including VPNs. Also, there is no need to create an alias in this case. Firstly, a single network can always be entered directly into the destination field and secondly, for networks that pfSense has an interface in, there is already an option included in the dropdown (something like “CCTV net”).

Hi, I have implemented the following rules and it seems to work (LAN hosts are not allowed to access CCTV unless for the exception I made).

Would this be correct as far as a common approach? Just wanting the best strategy for this.

Thank you.

I would consider this bad practice. There are still 254 addresses with access to the CCTV network.

While it by no means provides 100% security, I would rather whitelist addresses that should be allowed to access the CCTV network on a case by case basis. This is what I mean by preferring whitelisting over blacklisting. I have a similar use case where I want only a specific set of workstations to be able to access a management network, so I created an alias with the respective addresses (aliases in pfSense can be comprised of multiple hosts/networks) and an allow rule with the alias set as the source.

I see, so instead create an alias of a list of LAN hosts which will serve as the allowed source to CCTV net? This rule being above the block LAN net to CCTV net rule?

If you keep your rules as concise as possible, you won’t need a block rule. You will only need two rules: One to allow internet access (i.e. inverted match to all local networks as per the alias I posted earlier) and one to allow access to the CCTV network for the aliased hosts.

One added bonus of working exclusively with allow rules is that, as long as logging and policy-based routing aren’t of concern, their order doesn’t matter.

1 Like

I think I have it fully implemented,