I have three subnets. One for LAN, and two VLANS one for Guest and one for IOT.
Currently I have a synology running plex on the LAN subnet and a printer there too.
The smart tvs are all on the IOT VLAN.
What is best and safest way to allow a TCP access to 32400 on the synology to give access to plex? And also is there a way to put the printer somewhere (maybe in its own VLAN?) that can provide access from all subnets.
I can share how I have approached my vlans with you it might help or might not.
Firstly I don’t use the LAN, I only use it if I need to directly access the pfSense router in an emergency.
I’ve put all my vlan subnets into an alias.
I then use rules to either allow access or deny access between vlans.
The inverse of this rule allows access to the WAN.
On my Guest vlan, no access is provided to any other vlans, however it must access the Access Point on my Management vlan, so I have a first rule allowing just that. All other vlans can access the Guest vlan.
This allows me to control traffic between vlans and not faff around with ports, if there is a reason to have an exception I can easily add it first in the list while keeping everything else in place.
BTW it looks like you have a rule that allows access to the pfsense GUI on your IOT vlan, if you inverse that it will block access to it.
IMO it’s best to come up with a general framework for your rules, which you just need to add a few exceptions for them to work otherwise you end up with too many rules and it becomes a nighhtmare to work out why something isn’t working.
So, when I bought a printer, I simply added a new vlan, denied access to the WAN and all other vlans, but allowed all other vlans to access the printer vlan, that took 5mins to do, admittedly the work required to get there took a bit longer.
The reason is because the source port won’t be the same as the destination port, it will be random. All that matters though is the destination port and what you are allowing access to on the destination. Also, you don’t need that rule on the LAN interface. You can safely remove that.
Thanks so much. I am going to have to think this through.
Also the access to the pfsense from IOT was intentional but now I know I don’t need it. My pfsense is the internal DNS resolver and at first I thought I needed to allow access to port 53 to have DNS work for GUEST and IOT. Then I realized that Guest and IOT don’t need any internal DNS functionality. I just had DHCP provide them with external DNS servers and I can get rid of that rule.
Thanks for sharing your insights. I am already simplifying the rules quite a bit after starting the design.