Hello,
i can’t see the wood for the trees right now and need your help.
With pfSense, for the first time I have experienced the phenomenon that you can access devices in other vLANs without any rule in the pfSense.
My Challange
My configured vLANs (all on the same physical interface) are working like an allow any rule. device in vLAN 1 is seeing and reaching device in vLAN 2 wihtout any rule in the config.
All vLANs are in the internal network zone not on the WAN site.
What am I doing wrong or where am I thinking too complicated to set all vLAN per default an “deny all” rule?
Do hou have set up any rules at all? If so, please post some screenshots. For example, there surely is at least one rule to allow access to the web interface.
Which address ranges do the affected interfaces use (address + prefix)?
Can you verify that the problem is with pfSense and not with an improperly configurated switch?
If you traceroute from a host in VLAN 1 to a host in VLAN 2, do packets go through the router or directly?
Did you actually use a VLAN number of 1 or is that just to number them in your post?
Hello Paolo,
there are several firewall rules from vlan1 to vlan2 and to WAN configured.
Address range are sunetz RFC1918 e.g. 1921.68.2.0/24, 192.168.20.0/24 …
e.g. vlan1 to vlan2
Source = dedicated-ip of source
Destination = dedicated-ip of destination
Port = HTTPS
now the irritating thing for me
the source address is also able to get connected with other ip’s in the neigbour vLAN without configure this by any rule.
traceroute
When I execute a traceroute, the pfsense (DNS) is resolved first and then the host, which should NOT be reachable from this device.
It looks to me like the vLANs are running cleanly, but the firewall is not active, allowing all traffic between the vLANs.
vLAN Configuration
Interfaces / vLANs
5 vLANs all configured on igb1
Interface Groups = no groups configured
no GRE / BRIDGES configured
any idea what can be checked to enable the firewall per vLAN
I have a video covering how the basic rules work in pfsense and unless you have allow rules in the different networks in pfsense they can not talk to each other through pfsense.
I work from the other direction, block everything then allow by the rules I have in place. I’ve put my vlan subnets into an alias and these are either allowed or blocked. The traffic flows on my network as I expect.
What happens if you block that vlan, does it still get through ? I suspect you have a config error.
Hello @LTS_Tom and @neogrid
thx for your reply. my past firewalls (ZyXEL USG and SophosXG) have by default the rule “block any”.
My pfSense is an internal device that seperate LAN with my DMZ zone and has no NAT to the Internet Access Firewall that is connected to my ISP (routing only on both sites - workling well)
@LTS_Tom and @neogrid
is there any video / documentation who to put vLANs in the alias group and what is needed and hat to be changed at pfsense ? block traffic by default is my preffered solution also for pfsense
@neogrid
thx for your quick response. i will try this with my first vLAN. It was for me a bit, cause all my vLANs had a description and assignemtn trough Interfaces / Interface Assignments.
will keep you on track, if the default - any/any - block rule is working
Actually when I first started with pfsense I didn’t fully understand some of the rules, so I started from scratch and tuned each rule so that collectively the suite of rules for the interface did what I wanted.
Now I have about core 8 rules I use on most interfaces.
8 rules … nice my previous Unified Security gateway had arround 180 rules for different vLANs (based on their functionality and requirements for WAN access)
Now i’m moowill move my 1st vLAN to the Alias group. After I have already started to move the first vLAN into the alias, I notice that the accesses are restricted accordingly.
From the laptop in vlan25, it cannot ping any host in 10.0.0.0/24 (correct), it can access the Net (ping google.com works). But, from a host in 10.0.0.0/24, I can ssh the laptop (should not happen).
I assume the screenshot shows the rules for the ‘VLAN25’ interface. Rules always apply to traffic entering the firewall at the respective interface. So the first rule is pointless because there won’t be any traffic whose source is the ‘LAN’ network from the ‘VLAN25’ interface. If you want to block hosts in the ‘LAN’ network from accessing hosts in the ‘VLAN25’ network, you need to add a rule to the ‘LAN’ interface.
Also, I strongly discourage the use of the wildcard destination in ‘Allow’ rules. Are you aware that hosts from the ‘VLAN25’ network can access all ports on the firewall itself, for example? They can also access all other networks connected to the firewall except the ‘LAN’ network (since you explicitly blocked that). This includes VPNs, if there are any.
That is probably not what you want. Likely you want to allow access to the internet only, as well as select local networks. It is far more secure to specifically allow the destinations you actually want hosts to be able to connect to rather than to block individual destinations and allow all others. I already explained how to do this here:
I personally build my rules without ever using a single block rule.