I work from the other direction, block everything then allow by the rules I have in place. I’ve put my vlan subnets into an alias and these are either allowed or blocked. The traffic flows on my network as I expect.
What happens if you block that vlan, does it still get through ? I suspect you have a config error.
Hello @LTS_Tom and @neogrid
thx for your reply. my past firewalls (ZyXEL USG and SophosXG) have by default the rule “block any”.
My pfSense is an internal device that seperate LAN with my DMZ zone and has no NAT to the Internet Access Firewall that is connected to my ISP (routing only on both sites - workling well)
@LTS_Tom and @neogrid
is there any video / documentation who to put vLANs in the alias group and what is needed and hat to be changed at pfsense ? block traffic by default is my preffered solution also for pfsense
Actually when I first started with pfsense I didn’t fully understand some of the rules, so I started from scratch and tuned each rule so that collectively the suite of rules for the interface did what I wanted.
Now I have about core 8 rules I use on most interfaces.
I assume the screenshot shows the rules for the ‘VLAN25’ interface. Rules always apply to traffic entering the firewall at the respective interface. So the first rule is pointless because there won’t be any traffic whose source is the ‘LAN’ network from the ‘VLAN25’ interface. If you want to block hosts in the ‘LAN’ network from accessing hosts in the ‘VLAN25’ network, you need to add a rule to the ‘LAN’ interface.
Also, I strongly discourage the use of the wildcard destination in ‘Allow’ rules. Are you aware that hosts from the ‘VLAN25’ network can access all ports on the firewall itself, for example? They can also access all other networks connected to the firewall except the ‘LAN’ network (since you explicitly blocked that). This includes VPNs, if there are any.
That is probably not what you want. Likely you want to allow access to the internet only, as well as select local networks. It is far more secure to specifically allow the destinations you actually want hosts to be able to connect to rather than to block individual destinations and allow all others. I already explained how to do this here:
I personally build my rules without ever using a single block rule.