Hello Rosen,
> - block out on vlan received-on vlan
> is redundant, it never going to be used, you already have block all
Unfortunalety, the traffic passes between vlans without that rule at the end of
my rule set. I don't know why...
> - pass quick on vlan1003 inet from vlan1002:network to vlan1003:network
> Because of the direction from - to, this rule will be applied on the inbound
> traffic only
That's exactly what I need. I want clients fron one vlan to access devices in
another vlan but disable access inversely.
> Also as this is a quick rule, you should move it to the top of your rule set,
> so the traffic that matches this one, does not get evaluated for the rest of
> your rules.
True, thanks for the hint!
On Sat, 17 Jul 2021 10:25:37 -0600
Rosen Iliev wrote:
> Hello Radek,
>
> Your
>
> - block out on vlan received-on vlan
> is redundant, it never going to be used, you already have block all
>
> - pass quick on vlan1003 inet from vlan1002:network to vlan1003:network
> Because of the direction from - to, this rule will be applied on the inbound
> traffic only, so the rule should be*pass in quick on vlan1003***Also as this
> is a quick rule, you should move it to the top of your rule set, so the
> traffic that matches this one, does not get evaluated for the rest of your
> rules. I know the pf will optimize that in some point of time.
>
> Regards,
>
> Rosen
>
> Radek wrote on 7/14/2021 08:25:
> > Thank you Claudio for pointing me in the right direction.
> >
> > My testing pf.conf seems to work as expected:
> > - vlan1002:network can ping vlan1003:network only
> > - vlan1003:network can't ping vlan1002:network
> > - there is no routing between other vlans
> >
> > set block-policy drop
> > set loginterface egress
> > set skip on lo0
> > match in all scrub (no-df random-id max-mss 1440)
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > antispoof quick for { egress vlan }
> > block all
> > pass in on egress inet proto tcp to egress port 22
> > pass out quick on egress inet
> > pass on vlan inet to !vlan
> > pass quick on vlan1003 inet from vlan1002:network to vlan1003:network
> > block out on vlan received-on vlan
> >
> > Any other pf tweeks and suggestion would be appreciated.
> >
> > On Tue, 13 Jul 2021 12:25:32 +0200
> > Claudio Jeker wrote:
> >
> >> On Tue, Jul 13, 2021 at 11:34:28AM +0200, Radek wrote:
> >>> Hello,
> >>> I'm going to build a router with +40 vlans.
> >>> I need to block access from every vlan to each other (and then enable
> >>> traffic between certain vlans as needed).
> >>>
> >>> How can I do this? Is there any one liner pf block rule to do this?
> >> Not really but you can try:
> >>
> >> block out on vlan received-on vlan
> >>
> >> It really matters in how you want to build your filters (outbound or
> >> inbound filtering). Maybe it is better to just start with a block all rule
> >> and slowly allow traffic back. You can use interface groups and pf tags to
> >> help with rule writing.
> >>
> >> --
> >> :wq Claudio
> >>
> >
>
--
Radek
--
Radek
