PFSense Inter-VLAN traffic rules

kenw · April 14, 2024, 5:00pm

Current homelab configuration:

1/ Pfsense 23.09 on SG-1100

2/ VLANS in use and corresponding subnets:

VLAN 30 with subnet 10.10.30.0/24

VLAN 40 with subnet 10.10.40.0/24

VLAN 50 with subnet 10.10.50.0/24

3/ Configured firewall rules to block inter-vlan traffic to private networks using alias:

192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8

This seems to block inter-vlan traffic as expected. My question is does it matter that the firewall blocks traffic to “Class A” networks using /8 CIDR but the hosts on that subnet are /24? I’m not very experienced with networking and my terminology may not be exactly correct so I hope you can understand the question.

tvcvt · April 14, 2024, 6:25pm

It doesn’t matter at all. The classes are sort of an archaic model that’s been replaced by the CIDR syntax, so just as you’re experiencing, 10.0.0.0/8 is just fine for blocking any subnet inside that larger space. You’re on the right track!

kenw · April 14, 2024, 7:33pm

Thank you. I’ve gotten this far largely from watching Tom’s youtube videos. My homelab is far more secure than it used to be

Paul · April 15, 2024, 10:43am

PFSense default rule is to block all traffic unless you open it up.

I alwaays create a block rule to RFC1918 networks on each network - makes it easy for other people to read the firewall rules