How to block all inter VLAN communication in pfSense?

It is easy to prevent one VLAN from communicating with another using alias. However, the number of required alias will grow rapidly when number of VLAN increase.

For example, 3 VLAN requires 3 aliases. Each alias will have 2 subnet, and so on.

Is there away to perform restriction with only 1 rule? I heard that this is achivable via floating rules?

An easier solution is to build the rule for each VLAN so that it can only get to internet which would negate the need to create a block rule for each VLAN.

2 Likes

I’ve set up an alias with my vlan subnets, then I have a rule which allows cross vlan traffic using the alias. If it’s inverted it will prevent cross vlan traffic.

Prefer this method, as I can easily isolate my cam and Guest vlan from the rest of the network but the rest of the network can access the cam and Guest vlan.

Thanks for the idea, that’s what I’m trying to achieve but not sure how to perform it efficiently. Maybe you mean blocking all RFC1918? But will it also block in-subnet communication alongside with services like dhcp, dns, etc?

The idea is to prevent all inter vlan communication, only allow Internet and in-subnet communication.

My current approach is to deny VLAN xyz then pass any. It is doable but just not efficient.

If you use pfblocker, blocking RFC1918 will severely bother pfblocker operation as the default loop address is within the RFC1918 range.
Also note that in pfSense no inter VLAN traffic is allowed by default, any traffic you wish to allow you must create rules for.
If you don’t have a massive number of VLANs (I have seven) it’s easiest to work with keenly chosen aliases.
In your use case you could create an alias listing all of your VLANs (all subnets associated to all of your VLANs) and allow any except this alias. Then copy/paste this rule to all of your VLANs.
You could also use floating rules but I wouldn’t do that because they’re easily forgotten and hinder straightforward rule programming per VLAN.

Just an afterthought: if you are sporting tens or hundreds of VLANs you may want to use the floating rule option. Still I recommend to build a custom alias that comprises all of your VLANs (and not use RFC1918 as it’s too wide and can yield unexpected results if you should build custom rules for individual VLANs).

Just to concretize what has been said already. An alias for all “private” networks (as per RFC1918 and also for IPv6) would look like this:

In classless networking, all addresses that don’t have the same address prefix as a device are considered not part of the network of that device. pfSense, by default, blocks access to all of those other networks, which includes other “private” networks and the “internet” (which is simply designated by having a range outside of the RFC1918 private networks).

Using that alias, you can allow access to the internet by selecting that alias as destination and checking the “invert” option. No need for an alias per local network. Access to local networks is blocked by default and can be allowed on a case-by-case basis.

1 Like

Youre overthinking it. Remember that rules start at the top … and go in order… and PF sense passes the packets through the first rule that matches.

Create ONE alias that contains the sum of your private address space.

On each interface,

Create a PASS rule to allow traffic to itself (net) .

Then under it,

create a REJECT rule with your alias as the destination.

The order of the rules matter.

You can reuse the same alias for all subnets and just change the PASS rule for clean and easy admin.

Also… does pfSense support client isolation? I didn’t know it’ll filter packets with a source and destination within a subnet…

Connections withing a subnet don’t go through pfsense, the switch would have to handle client isolation.

1 Like

OP, by default there is no communication INTER vlan if the vlans’ gateway is pfSense. You need to add rules to permit communication - or I don’t understand your question and why you are using Aliases.
If you are using a “router-on-stick” approach with pfSense, it is the same thing and you need add rules to let traffic from one vlan reach the other and vice versa even if they use only 1 wire.

INTRA vlan on the other hand is another thing and pfSense is not engineered for that : you need proprietary hardware that link both router and switch and where the switch is kind of an extension of the router/firewall itself and you can allow or block intra vlan at the firewall level. If the case of pfSense, you need to rely on your managed switch to block layer-2 traffic between the same vlan.