Thank you Claudio for pointing me in the right direction.
My testing pf.conf seems to work as expected:
- vlan1002:network can ping vlan1003:network only
- vlan1003:network can't ping vlan1002:network
- there is no routing between other vlans
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress vlan }
block all
pass in on egress inet proto tcp to egress port 22
pass out quick on egress inet
pass on vlan inet to !vlan
pass quick on vlan1003 inet from vlan1002:network to vlan1003:network
block out on vlan received-on vlan
Any other pf tweeks and suggestion would be appreciated.
On Tue, 13 Jul 2021 12:25:32 +0200
Claudio Jeker <cje...@diehard.n-r-g.com> wrote:
> On Tue, Jul 13, 2021 at 11:34:28AM +0200, Radek wrote:
> > Hello,
> > I'm going to build a router with +40 vlans.
> > I need to block access from every vlan to each other (and then enable
> > traffic between certain vlans as needed).
> >
> > How can I do this? Is there any one liner pf block rule to do this?
>
> Not really but you can try:
>
> block out on vlan received-on vlan
>
> It really matters in how you want to build your filters (outbound or
> inbound filtering). Maybe it is better to just start with a block all rule
> and slowly allow traffic back. You can use interface groups and pf tags to
> help with rule writing.
>
> --
> :wq Claudio
>
--
Radek
