Vlan – Network Segregation by pfsense + ESXi VLAN

firewallpfsensevlan

Given

  1. ESXi host with 1 NIC
  2. Inside the host, there're 2 virtual switches: switch1 and switch2
  3. In switch1, there's 1 WAN interface
  4. In swtich2, there's 4 VLANs: VLAN10, VLAN20, VLAN30, and VLAN40

Existing Situation:

  1. pfsense is used between switch1 and switch2 for routing
  2. VM in each VLANs can access the Internet

Purpose:

  1. prevent VM in VLAN40 access VM of other VLANs
  2. allow VM access each other within VLAN40
  3. allow VM in VLAN40 access the Internet

What I have done to achieve the Purpose:

  1. I have created 3 firewall rules in VLAN40, which is illustrated as below imageenter image description here

  2. I have created an aliases, RFC1918, which includes:

    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

Question:

  1. Are the firewall rules set correctly to achieve the purpose?

Best Answer

Purpose:

  1. prevent VM in VLAN40 access VM of other VLANs

Is done by rule 2, unless any of your VMs in the other VLANs gets a public IP address. If you are sure that won't happen, you're fine.

  1. allow VM access each other within VLAN40

Access within the VLAN is switched and shouldn't even arrive at the firewall.

  1. allow VM in VLAN40 access the Internet

pfsense will be the local DNS server, I assume from your first rule.

In short: Yes, should work, unless some pfsense- or ESXi-specific thing happens that I didn't think of. ;)

Related Topic