pfSense - vLAN devices see each other - no separation of vLANs

i can’t see the wood for the trees right now and need your help. :thinking:

With pfSense, for the first time I have experienced the phenomenon that you can access devices in other vLANs without any rule in the pfSense.

My Challange
My configured vLANs (all on the same physical interface) are working like an allow any rule. device in vLAN 1 is seeing and reaching device in vLAN 2 wihtout any rule in the config. :flushed:

All vLANs are in the internal network zone not on the WAN site.
What am I doing wrong or where am I thinking too complicated to set all vLAN per default an “deny all” rule?

Version: 2.6.0-RELEASE

thx forward

Do hou have set up any rules at all? If so, please post some screenshots. For example, there surely is at least one rule to allow access to the web interface.

Which address ranges do the affected interfaces use (address + prefix)?

Can you verify that the problem is with pfSense and not with an improperly configurated switch?

If you traceroute from a host in VLAN 1 to a host in VLAN 2, do packets go through the router or directly?

Did you actually use a VLAN number of 1 or is that just to number them in your post?

Hello Paolo,
there are several firewall rules from vlan1 to vlan2 and to WAN configured.
Address range are sunetz RFC1918 e.g. 1921.68.2.0/24, …

e.g. vlan1 to vlan2
Source = dedicated-ip of source
Destination = dedicated-ip of destination
Port = HTTPS

now the irritating thing for me
the source address is also able to get connected with other ip’s in the neigbour vLAN without configure this by any rule.

When I execute a traceroute, the pfsense (DNS) is resolved first and then the host, which should NOT be reachable from this device.

It looks to me like the vLANs are running cleanly, but the firewall is not active, allowing all traffic between the vLANs.

vLAN Configuration
Interfaces / vLANs
5 vLANs all configured on igb1
Interface Groups = no groups configured
no GRE / BRIDGES configured

any idea what can be checked to enable the firewall per vLAN :face_with_thermometer:


I have a video covering how the basic rules work in pfsense and unless you have allow rules in the different networks in pfsense they can not talk to each other through pfsense.

I work from the other direction, block everything then allow by the rules I have in place. I’ve put my vlan subnets into an alias and these are either allowed or blocked. The traffic flows on my network as I expect.

What happens if you block that vlan, does it still get through ? I suspect you have a config error.

Hello @LTS_Tom and @neogrid
thx for your reply. my past firewalls (ZyXEL USG and SophosXG) have by default the rule “block any”.

My pfSense is an internal device that seperate LAN with my DMZ zone and has no NAT to the Internet Access Firewall that is connected to my ISP (routing only on both sites - workling well)

@LTS_Tom and @neogrid
is there any video / documentation who to put vLANs in the alias group and what is needed and hat to be changed at pfsense ? block traffic by default is my preffered solution also for pfsense :grinning:

thx forward

You might want to start here Firewall — Rule Methodology | pfSense Documentation

Just enter your subnets for the vlans you are using into an alias, then use the alias in your rules.

thx for your quick response. i will try this with my first vLAN. It was for me a bit, cause all my vLANs had a description and assignemtn trough Interfaces / Interface Assignments.

will keep you on track, if the default - any/any - block rule is working


Actually when I first started with pfsense I didn’t fully understand some of the rules, so I started from scratch and tuned each rule so that collectively the suite of rules for the interface did what I wanted.

Now I have about core 8 rules I use on most interfaces.

8 rules … nice :grinning: my previous Unified Security gateway had arround 180 rules for different vLANs (based on their functionality and requirements for WAN access) :pensive:

Now i’m moowill move my 1st vLAN to the Alias group. After I have already started to move the first vLAN into the alias, I notice that the accesses are restricted accordingly.

@LTS_Tom and @neogrid

I tested the alias and Tom’s video once yesterday.
If I set Tom’s scenario, then I have to

  1. block all not needed vLANs at the beginning
  2. create rules in the unblocked vLANs.
  3. when point 2 is done - also block these vLAN with a blocking rule
  4. now you can start with the rules to the WAN interface
  5. also add an any/any/block rule at the end, so that the activations are correct.

This is unusual, because the known manufacturers do not implement it this way. :thinking:


I watched Tom’s video a few times but I guess I’m doing something wrong.

Primary network VLAN25 a laptop connected got ip (correct)

Rules: block from LAN → VLAN25, block from VLAN25 → LAN, allow from VLAN25 → Internet

From the laptop in vlan25, it cannot ping any host in (correct), it can access the Net (ping works). But, from a host in, I can ssh the laptop (should not happen).

What rule table are you showing?

I assume the screenshot shows the rules for the ‘VLAN25’ interface. Rules always apply to traffic entering the firewall at the respective interface. So the first rule is pointless because there won’t be any traffic whose source is the ‘LAN’ network from the ‘VLAN25’ interface. If you want to block hosts in the ‘LAN’ network from accessing hosts in the ‘VLAN25’ network, you need to add a rule to the ‘LAN’ interface.

Also, I strongly discourage the use of the wildcard destination in ‘Allow’ rules. Are you aware that hosts from the ‘VLAN25’ network can access all ports on the firewall itself, for example? They can also access all other networks connected to the firewall except the ‘LAN’ network (since you explicitly blocked that). This includes VPNs, if there are any.

That is probably not what you want. Likely you want to allow access to the internet only, as well as select local networks. It is far more secure to specifically allow the destinations you actually want hosts to be able to connect to rather than to block individual destinations and allow all others. I already explained how to do this here:

I personally build my rules without ever using a single block rule.

In Firewall > Aliases I created a private group as shown in your post.

I set up this rule in VLAN25

I still can ssh from LAN to a host in VLAN25.

You need to change the rules on the ‘LAN’ interface for that.

If I apply this rule to LAN, I can not access the Internet (ping fails)

That’s probably because you need an additional ‘Allow’ rule for DNS (destination: ‘LAN address’, UDP port 53).

Copy the rules from Lan to Vlan25, select each rule and use the copy icon. Then change the network to vlan25

Here is an example of my setup - change IOT to Vlan25

Management_Port is an aliases with ports 80 , 22 and https port which you have configured

RFC1819 is an aliases of RFC1918 networks

DNS_Ports has ports 53 and 853

Last rule, on the gateway use *, on my example I am pushing outbound iot traffic down one isp line

By default PFSense blocks everything unless you create a rule