pfSense - vLAN devices see each other - no separation of vLANs

Hello,
i can’t see the wood for the trees right now and need your help. :thinking:

With pfSense, for the first time I have experienced the phenomenon that you can access devices in other vLANs without any rule in the pfSense.

My Challange
My configured vLANs (all on the same physical interface) are working like an allow any rule. device in vLAN 1 is seeing and reaching device in vLAN 2 wihtout any rule in the config. :flushed:

All vLANs are in the internal network zone not on the WAN site.
What am I doing wrong or where am I thinking too complicated to set all vLAN per default an “deny all” rule?

PfSense
Version: 2.6.0-RELEASE
OS: FreeBSD 12.3-STABLE

thx forward
Andy

Do hou have set up any rules at all? If so, please post some screenshots. For example, there surely is at least one rule to allow access to the web interface.

Which address ranges do the affected interfaces use (address + prefix)?

Can you verify that the problem is with pfSense and not with an improperly configurated switch?

If you traceroute from a host in VLAN 1 to a host in VLAN 2, do packets go through the router or directly?

Did you actually use a VLAN number of 1 or is that just to number them in your post?

Hello Paolo,
there are several firewall rules from vlan1 to vlan2 and to WAN configured.
Address range are sunetz RFC1918 e.g. 1921.68.2.0/24, 192.168.20.0/24 …

e.g. vlan1 to vlan2
Source = dedicated-ip of source
Destination = dedicated-ip of destination
Port = HTTPS

now the irritating thing for me
the source address is also able to get connected with other ip’s in the neigbour vLAN without configure this by any rule.

traceroute
When I execute a traceroute, the pfsense (DNS) is resolved first and then the host, which should NOT be reachable from this device.

It looks to me like the vLANs are running cleanly, but the firewall is not active, allowing all traffic between the vLANs.

vLAN Configuration
Interfaces / vLANs
5 vLANs all configured on igb1
Interface Groups = no groups configured
no GRE / BRIDGES configured

any idea what can be checked to enable the firewall per vLAN :face_with_thermometer:

Regards
Andy

I have a video covering how the basic rules work in pfsense and unless you have allow rules in the different networks in pfsense they can not talk to each other through pfsense.

I work from the other direction, block everything then allow by the rules I have in place. I’ve put my vlan subnets into an alias and these are either allowed or blocked. The traffic flows on my network as I expect.

What happens if you block that vlan, does it still get through ? I suspect you have a config error.

Hello @LTS_Tom and @neogrid
thx for your reply. my past firewalls (ZyXEL USG and SophosXG) have by default the rule “block any”.

My pfSense is an internal device that seperate LAN with my DMZ zone and has no NAT to the Internet Access Firewall that is connected to my ISP (routing only on both sites - workling well)

@LTS_Tom and @neogrid
is there any video / documentation who to put vLANs in the alias group and what is needed and hat to be changed at pfsense ? block traffic by default is my preffered solution also for pfsense :grinning:

thx forward
Andy

You might want to start here Firewall — Rule Methodology | pfSense Documentation

Just enter your subnets for the vlans you are using into an alias, then use the alias in your rules.

@neogrid
thx for your quick response. i will try this with my first vLAN. It was for me a bit, cause all my vLANs had a description and assignemtn trough Interfaces / Interface Assignments.

will keep you on track, if the default - any/any - block rule is working

Regards
Andy

Actually when I first started with pfsense I didn’t fully understand some of the rules, so I started from scratch and tuned each rule so that collectively the suite of rules for the interface did what I wanted.

Now I have about core 8 rules I use on most interfaces.

8 rules … nice :grinning: my previous Unified Security gateway had arround 180 rules for different vLANs (based on their functionality and requirements for WAN access) :pensive:

Now i’m moowill move my 1st vLAN to the Alias group. After I have already started to move the first vLAN into the alias, I notice that the accesses are restricted accordingly.

@LTS_Tom and @neogrid

I tested the alias and Tom’s video once yesterday.
If I set Tom’s scenario, then I have to

  1. block all not needed vLANs at the beginning
  2. create rules in the unblocked vLANs.
  3. when point 2 is done - also block these vLAN with a blocking rule
  4. now you can start with the rules to the WAN interface
  5. also add an any/any/block rule at the end, so that the activations are correct.

This is unusual, because the known manufacturers do not implement it this way. :thinking:

Regards
Andy