VLAN Rules

rlcustoms · May 01, 2025, 09:58:01 PM

I have a pretty simple setup. I have created a vlan (10) that I want to only be able to reach the Internet. I do not want it to reach anything on the default LAN.
I have setup the following rule on the VLAN interface.

Protcol: IPv4
Soure: *
Port: *
Dest: *
DPort: *
Gateway *
Direction: In

This allows me to get to the Internet when connected to the VLAN 10 but also the default LAN.

What rule should I create to block access to the default LAN.

Bob.Dig · May 01, 2025, 10:05:16 PM

Quote from: rlcustoms on May 01, 2025, 09:58:01 PMWhat rule should I create to block access to the default LAN

Maybe a block-rule?

EricPerl · May 01, 2025, 10:31:12 PM

I'm personally not a fan of block rules.
There are plenty of references to one way of handling this that doesn't use them:
Create an alias (private_networks or RFC1918_networks) that encompasses either all private networks (per RFC) or at least the ones you use.
Then change the destination to !private_networks (! by way of inverting the destination).

Note that you also need an exception for the gateway of the VLAN, in particular for DNS.
That's an additional FW rule (or a PF rule to redirect all DNS to the vlan GW).

Example:
You cannot view this attachment.

VLAN Rules

rlcustoms

May 01, 2025, 09:58:01 PM

Bob.Dig

May 01, 2025, 10:05:16 PM #1

EricPerl

May 01, 2025, 10:31:12 PM #2