pfsense intervlan routing

H

hellosky

Weaksauce
Joined
Mar 28, 2010
Messages
111
I'm trying to configure a pfsense box that will function as a router on a stick for several vlans I have set up.

The vlans seem to be working fine, I can get an IP from the pfsense box. However I have no idea how to get the vlans to connect to the internet.

I have set up firewall rule that allows talking to the WAN subnet (VLAN10 net to WAN net, allow all for example) but it still doesn't work. What I am doing wrong here? Do I need to have the pfsense box run DNS as well to handle the internet routing as well?
 
i would change the rule to allow all traffic to all destinations and then place rules before it (in pfsense, above it) that deny access to other vlan's subnets to control the flow within your network.

if a vlan should have access to other internal vlan (other interfaces) but not internet access, then put in a deny all rule with pass rules above it for each internal vlan's subnet that it should have access to.

there are other ways to accomplish this, but this is what has always made the most sense to me. and you can read the firewall rules months from now and make quick sense of where the firewall is flowing traffic. I'm always open to hear other, better solutions myself :)
 
pfsense will automatically route between it's interfaces, so you just need to create rules to allow access, as jbraband mentioned, I would start with an any-any-any rule, once you have things working, then you can start to restrict that to only what's necessary and delete the any rule.
 
thats a good point aaronearles. the routing is already setup by pfSense (assuming you have the auto config (i think thats what it's called, not in front of a box with now) enabled in the NAT setup, which it is by default). and so the only hurdle to jump is telling the firewall to let that traffic through.
 
Thanks, adjusted the firewall rules and it seems to be working. are the rules processed in a certain order, some vlans shouldn't be communicating with the others and i need to know how to configure the rules.

also i noticed that the gateway ip address is unique for each vlan - is that ok?

does pfsense run dns locally, i tried to ping computers via their FQDNs and it didn't work. i'm wondering if i need to do extra things to run DNS.
 
By definition, vlans are their own network segments. To communicate between these segments you'll need a way to forward packet through a central router (in this case, your PFSense box). To do this, each vlan is assigned a specific ip which is the gateway to the rest of the network.

Think of a spoked wheel, each spoke is a different segment (vlan) with one end connected to the central router (PFSense box). Therefore each spoke will have it's own gateway. Yes, that is correct.

You'll need a local DNS server or static entries for all devices on each segment for resolution.
 
pfsense processes firewall rules top down. so say you have a packet. if it matches to top rule, the rule is applied (pass or deny). if it doesnt match, it tries the second rule and does the same thing on down the list.

should the packet not match any firewall rule the packet is dropped.
 
thanks - one more thing

if i want one vlan to have restricted internet access I just install squid proxy and set up a whitelist for URLs? is it possible to have this run transparent for just one vlan?

and just to make sure - if i block port 443/80 on the gateway ip I block just the webgui correct? not the web traffic?
 
hellosky said:
thanks - one more thing

if i want one vlan to have restricted internet access I just install squid proxy and set up a whitelist for URLs? is it possible to have this run transparent for just one vlan?
Click to expand...

No way that I know of, I wish you could run multiple squid configs on different interfaces because I run it for my primary internal subnet, and would like to run it for the guest network too, one alternative which I have not tested is using the HAVP antivirus package on one interface, and squid on another.

Let us/me know if you come up with something better though!

hellosky said:
and just to make sure - if i block port 443/80 on the gateway ip I block just the webgui correct? not the web traffic?
Click to expand...

Right, it's based off destination, not the fact that it has to go through the firewall to get there.
 
You must log in or register to reply here.
Back
Top