I’m a complete Networking newbie and running a PFSense Netgate 7100 Firewall with standard configs for about a year now.
But just recently I wanted to double up on my Networking stuff and bought a 10G L3 Switch from FS and 3x Zyxel XGS1210-12 8x 1G Port + 3x 10G Port Access Switches.
So I went going and started to try to configure this all up vor Multiple VLANS and stuff.
At first glance it seemed to work pretty fine (altough I had to reset the Switches here and then because I locked out my Workstation).
I created the Interfaces in PFSense, created the VLANS on the L3 Switch and did the same on the Access Switches.
Then I did setup the Trunk Ports on the L3 Switch…not doing any special routing there for now.
I even managed to get the Port Based VLANs going and so on but the sh*** hit the fan as soon as I tried to move the Firewall Rules from “Allow everything” to “I am Safe”.
When I create the Allow Rules for each Interface those Rules stop working as soon as I give the rule a specific Destination Interface like “WAN net” instead of “any”.
The Source doesn’t seem to have that effect.
I’ve made tons of Screenshots from everything but I’m just able to upload one for now…guess if more is needed I would dump all of them into a zip Folder somewhere.
In the Screenshot below I created the VLAN10 net > VLAN10 net Browsing Rule because I saw that the traffic from a Ping got blocked when asking the Gateway of this Interface 10.95.1.1 for the DNS on Port 53.
Oh maybe I should have also written about some weird behaviour at least in my Opinion.
1.) When I ran an IPerf3 Test between my Workstation 2 hops away I got about 1Gb when running the Server on the Firewall and about 1.7G when running the Server on the Workstation PC…all Links are 10GBit btw.
2.) With the Rules above but WITHOUT the Destination “any” Rule I was able to get to the PFSense Login Form on each and every Interface Gateway address like 10.95.0.1, 10.95.1.1, 10.95.2.1 on Port 10443…and that from the source 10.95.1.56 …which doesn’t make sense to me because it should just let me connect to 10.95.1.1 right?
3.) Also some general performance Issues and long hang ups when browsing with the allow any rule but I bet that has to do with those problems.
I think I really messed something up with those Interface assignments…maybe because I assigned the same Physical Interface to the DMZ_1 on which the VLANS come in on the VLAN IF’s?
Are you trying to do policy routing? What is your goal in allowing VLAN10 to destination WAN_1 net?
Typically if you are trying to allow traffic out your WAN then it is setup on the gateway side. If you are trying to block inter-VLAN traffic you can create an alias named RFC1918 with all 3 classes of networks in there.
Networks
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
Then at the bottom you would have an inverted rule for allow all. Make sure to add a DNS rule like in the example below.
Well I thougth VLANS are more or less like Subnets behind a NAT Router/ Firewall right?
So the Packets from my devices get the VLAN Tags assigned as soon as those Packets enter the Access Switch.
Those Devices get their IP from the DHCP Server that hands out those IP’s according to the VLAN Tag on the Packet…meaning on Interface VLAN1 the “Gateway” is 10.95.1.1.
And my thought was that with those Firewall Rules I could configure this “Virtual Gateway” to a different Part of the Network like a separated Firewall for this Subnet.
My Understanding or thinking is/ was that I could define those Rules and do something like yes you can go straight to the Internet on this Port.
Do I have to get it routed differently then?
As I said I’m a complete networking newbie…first time that I even touched Firewall Rules without step by step tutorial.
So what do you mean with policy routing?
And my goal in allowing VLAN10 to destination WAN_1 net is to let devices that are part of VLAN10 connect to the Internet.
My Idea was to give more or less every VLAN a connection to the Internet, depending on which devices I put in there because I also got a PLC running and this one shouldn’t be able to have access to the Internet but it should be able to be accessed from some devices in let’s say different VLANs.
My goal is to set up Rules for all those Scenarios
Oh and I don’t want to just set up an allow all rule…this would already work.
But I would like to deny all and just open up the needed ports.
And because of your DNS Rule…this does allow traffic from devices within the VLAN to the Gateway (like 10.95.1.1) for those configured DNS Ports right?
But what is the difference to putting in “this Firewall” as Destination?
The Allow Rule also makes sense to me because you are allowing all Traffic from Guest VLAN Devices to “any” except to those adresses you specified within the Alias.
But as I said I’m not planning to allow all but just allow specific connections…at least that’s the plan
I just tried it like this and I can’t even ping 1.1.1.1 from a device within VLAN10…when I put in the allow all rule again it works again.
I wouldn’t put DMZ and VLAN’s on the same interface best practice is to put DMZ on its own interface and VLAN’s on a non-parent interface. You can ignore the DNS and NTP redirects rule.
I think you might need to determine where you want your layer 3 routing to take place. If you want your switch to be doing the routing then you’ll create the routes based on what IP you want routed out the internet or not. If its on the firewall then you can create block rules to stop certain IP’s from going out the internet.
In pfsense the rules are processed from the top down and if no allow rules are specified then everything is blocked. Your destination on your rules wont work when you say that you want to allow VLAN10 to WAN1 because your gateway is what matters when you are wanting to route out.
You would be routing out the internet with the rule I posted.
When I say allow all I’m not say exactly saying that. I mean as the last rule it will allow all traffic on VLAN10 interface to route out the internet and not to any private IP addresses.
Then create a block rule that has the source as the IP of your IP, the destination with any, the source and destination ports are any and place it above the very bottom rules that allows traffic out the internet.
By the end of the day your base rules should be the 2 rules I posted earlier.
The last rule is saying allow everything except private networks to be accessed.
The most glaring problem with the rules in your original screenshot I can spot right away is setting WAN_1 net as the destination for rules that are supposed to grant internet access.
Think about what X net and X address actually means for any given interface X in pfSense. For example, assume the interface LAN is assigned the address 192.168.0.1 with the prefix /24. Then LAN address will be the same as 192.168.0.1/32 and LAN net will be the same as 192.168.0.0/24.
If you look at the subnet mask of your WAN_1 interface (Status → Interfaces), you’ll see that it doesn’t cover the entire internet, i.e. it’s not 0.0.0.0 (which would be /0 in terms of prefix length). So with WAN_1 net you are only covering a very small part of the internet, specifically the routers of other customers of your ISP. Naturally, addresses like 1.1.1.1 are not part of that network and your rule thus doesn’t allow access to them.
If you want a rule that allows access to the general internet, you will have to select something much broader for the destination. A bad practice which unfortunately many people apparently still do is to use any for the destination, which of course also allows access to all local networks, which is usually not intended. People would then precede this rule with rules blocking access to the individual local networks. But this has the drawback that if you ever added a new local network, you would have to make sure to update all interfaces’ rules to reflect that change, which is a lot of effort and has security implications if you forget to do it.
A much better approach is, as already suggested in this thread, to explicitly allow access to all destinations that are not part of any local network. For that, you create an alias containing all the addresses that could possibly be used in local networks. For IPv4, that corresponds to
Then you use this alias as the destination, but invert the match.
I personally never use reject rules in my configurations. pfSense by default rejects anything that you don’t specifically allow with a rule anyways, so this is in my opinion the best philosophy.
First of all. thank you guys allot for all those quick and constructive responses!
I really appreciate guys like you helping on the Internet!
Meanwhile I managed to get it all working with the basics.
I also forgot to setup the Default Gateway and the DNS on each individual DHCP Server Interface form.
But now I also get the hang of those Rules and I’m already working hard on them see this Screenshot
@Youngs-IT i hope i did understand your Input with the DMZ correctly.
Now I’ve setup the Interface on the Parent Interface as LAN on the default VLAN 1 and I swapped it more or less into a Quarantine Zone because the VLAN tags on my Access switches are configured as VLAN 1 for default.
There’s probably a lot more up to that Security Issue with Port based VLAN’s but I guess that’s a topic for another day.
Also @xMAXIMUSx because of the Routing on the L3 Switch…that was my original Idea to get Inter VLAN routing going on the L3 Switch to get the Full 10Gb speed out of it but this is also a whole other learning curve. But that’s probably the next step as soon as I got my Firewall going.
Sry to revive this issue again but I’ve got one more question.
I just realized this because on the VLAN of my main Workstation PC I’ve Rules in place for that but:
I’ve got a VLAN30 Subnet with some Raspberry Pi’s in it.
When I SSH into those Pi’s I can’t Ping the Firewall/ Gateway on the same Subnet.
But I can ping other clients on the same Subnet without getting blocked by the Firewall…why is that?
So my VLAN30 got the Subnet 10.95.3.0/24.
The Gateway specified within the Interface settings is 10.95.3.1 .
The Raspberries got the IP’s 10.95.3.201 and 10.95.3.202 and they got those Adresses by DHCP.
I also put them in a static mapping and gave them a static ARP entry dunno if this changes Behaviour.
And from the Raspi 10.95.3.201 I can’t ping 10.95.3.1 but I can ping 10.95.3.202
That is because routers are not involved in the transmission of packets within subnets. When a node wants to send an IP packet, it first checks whether the destination is in the same network as itself. If this is the case, it looks up the recipient’s MAC address using NDP or ARP, encapsulates the packet in an Ethernet frame and sends that frame through the local network. It might traverse a number of switches, but it won’t pass the router/firewall.
Thanks for the explanation!
I also just found out that when I don’t specify the DNS Servers for Cloudflare on each Interface Tab my DNS broke…but thanks to your explanation I now know that this is also because the Clients want to ask the Gateway then.
Just installed PFBlockerNG btw…PFSense is really an amazing Firewall.
I’ve just got one or two Problems with the connection speed through the 10G Interface, but I can’t really do much testing for now because I’ve just got 1 10Gbit Client for now.
But I’ve connected my 10G L3 Switch with Fiber to a 10G Port on the Firewall and sometimes the Speed drops down to under 500MB…but I will start another Post for that.
