I think I got my 6610 ACLs figured out and removed almost all firewalling from pfSense to switch-duty. The only firwalling pfSense does now is to the WAN. All devices now use the switch VE interfaces as gateways. This is still new for me, so if anyone is curious to use it, be cautions and anyone with know-how, please tell me if this is wildly or even mildly wrong:
Code:
access-list 102 remark ALLOW DHCP
access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc
access-list 102 remark ALLOW ANY ICMP
access-list 102 permit icmp any any
access-list 102 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 102 permit tcp any any established
access-list 102 remark ALLOW DNS REQUESTS TO PFSENSE
access-list 102 permit udp 10.1.2.0 0.0.0.255 host 10.1.2.254 eq dns
access-list 102 remark ALLOW NTP REQUESTS TO PFSENSE
access-list 102 permit udp 10.1.2.0 0.0.0.255 host 10.1.1.254 eq ntp
access-list 102 permit udp 10.1.2.0 0.0.0.255 host 10.1.2.254 eq ntp
access-list 102 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 102 deny ip any host 10.1.2.1 log
access-list 102 deny ip any host 10.1.2.254 log
access-list 102 remark DENY INTER-VLAN TRAFFIC
access-list 102 deny ip any 10.1.1.0 0.0.0.255
access-list 102 deny ip any 10.1.3.0 0.0.0.255
access-list 102 deny ip any 10.1.4.0 0.0.0.255
access-list 102 deny ip any 10.1.6.0 0.0.0.255
access-list 102 deny ip any 10.1.10.0 0.0.0.255
access-list 102 deny ip any 10.1.20.0 0.0.0.255
access-list 102 remark ALLOW SAME VLAN TRAFFIC
access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 102 remark DENY REMAINING TRAFFIC
access-list 102 deny ip any any log
!
access-list 103 remark ALLOW DHCP
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq bootpc
access-list 103 remark ALLOW ANY ICMP
access-list 103 permit icmp any any
access-list 103 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 103 permit tcp any any established
access-list 103 remark ALLOW DNS REQUESTS TO PFSENSE
access-list 103 permit udp 10.1.3.0 0.0.0.255 host 10.1.3.254 eq dns
access-list 103 remark ALLOW NTP REQUESTS TO PFSENSE
access-list 103 permit udp 10.1.3.0 0.0.0.255 host 10.1.1.254 eq ntp
access-list 103 permit udp 10.1.3.0 0.0.0.255 host 10.1.3.254 eq ntp
access-list 103 remark ALLOW NTP REQUEST RETURNS FROM PFSENSE
access-list 103 permit udp host 10.1.1.254 eq ntp 10.1.3.0 0.0.0.255
access-list 103 permit udp host 10.1.3.254 eq ntp 10.1.3.0 0.0.0.255
access-list 103 remark ALLOW RETURN OF SNMP TRAFFIC TO LIBRENMS SERVER
access-list 103 permit udp 10.1.3.0 0.0.0.255 eq snmp host 10.1.6.61 gt 1024
access-list 103 permit udp 10.1.3.0 0.0.0.255 eq snmp-trap host 10.1.6.61 gt 1024
access-list 103 remark ALLOW ECOBEE STRICT WAN ACCESS
access-list 103 permit tcp host 10.1.3.50 host 216.220.61.236 eq 8190
access-list 103 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 103 deny ip any host 10.1.3.1 log
access-list 103 deny ip any host 10.1.3.254 log
access-list 103 remark DENY INTER-VLAN TRAFFIC
access-list 103 deny ip any 10.1.1.0 0.0.0.255
access-list 103 deny ip any 10.1.2.0 0.0.0.255
access-list 103 deny ip any 10.1.4.0 0.0.0.255
access-list 103 deny ip any 10.1.6.0 0.0.0.255
access-list 103 deny ip any 10.1.10.0 0.0.0.255
access-list 103 deny ip any 10.1.20.0 0.0.0.255
access-list 103 remark ALLOW SAME VLAN TRAFFIC
access-list 103 permit ip 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 103 remark DENY REMAINING TRAFFIC
access-list 103 deny ip any any log
!
access-list 104 remark ALLOW ICMP
access-list 104 permit icmp any any
access-list 104 remark DENY ALL OTHER ACCESS TO SWITCH
access-list 104 deny ip any host 10.1.4.1 log
access-list 104 remark ALLOW LOCAL VLAN TRAFFIC
access-list 104 permit ip 10.1.4.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 104 remark DENY REMAINING TRAFFIC
access-list 104 deny ip any any log
!
access-list 105 remark ALLOW DHCP
access-list 105 permit udp any any eq bootps
access-list 105 permit udp any any eq bootpc
access-list 105 remark ALLOW ANY ICMP
access-list 105 permit icmp any any
access-list 105 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 105 permit tcp any any established
access-list 105 remark ALLOW RETURN OF NTP REQUESTS FROM PFSENSE TO ANY VLAN
access-list 105 permit udp host 10.1.1.254 eq ntp 10.1.0.0 0.0.255.255
access-list 105 remark ALLOW RETURN OF SNMP TRAFFIC TO LIBRENMS SERVER
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq snmp host 10.1.6.61 gt 1024
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq snmp-trap host 10.1.6.61 gt 1024
access-list 105 remark ALLOW IPMI, DRAC ACCESS from VLAN10 and SLB1/2
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq asf-rmcp 10.1.10.0 0.0.0.255 gt 1024
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq asf-rmcp host 10.1.6.39 gt 1024
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq asf-rmcp host 10.1.6.40 gt 1024
access-list 105 remark ALLOW RETURN TRAFFIC FROM PROXMOX HOSTS TO VLAN10
access-list 105 permit ip host 10.1.1.10 10.1.10.0 0.0.0.255
access-list 105 permit ip host 10.1.1.11 10.1.10.0 0.0.0.255
access-list 105 remark ALLOW IPERF3 TRAFFIC TO/FROM VLAN 10
access-list 105 permit tcp 10.1.1.0 0.0.0.255 10.1.10.0 0.0.0.255 eq 5201
access-list 105 remark DENY INTER-VLAN TRAFFIC
access-list 105 deny ip any 10.1.2.0 0.0.0.255
access-list 105 deny ip any 10.1.3.0 0.0.0.255
access-list 105 deny ip any 10.1.4.0 0.0.0.255
access-list 105 deny ip any 10.1.6.0 0.0.0.255
access-list 105 deny ip any 10.1.10.0 0.0.0.255
access-list 105 deny ip any 10.1.20.0 0.0.0.255
access-list 105 remark ALLOW REMAINING TRAFFIC
access-list 105 permit ip any any
!
access-list 106 remark ALLOW DHCP
access-list 106 permit udp any any eq bootps
access-list 106 permit udp any any eq bootpc
access-list 106 remark ALLOW ANY ICMP
access-list 106 permit icmp any any
access-list 106 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 106 permit tcp any any established
access-list 106 remark ALLOW DNS REQUESTS TO PFSENSE
access-list 106 permit udp 10.1.6.0 0.0.0.255 host 10.1.6.254 eq dns
access-list 106 remark ALLOW NTP REQUESTS TO PFSENSE
access-list 106 permit udp 10.1.6.0 0.0.0.255 host 10.1.1.254 eq ntp
access-list 106 permit udp 10.1.6.0 0.0.0.255 host 10.1.6.254 eq ntp
access-list 106 remark ALLOW LIBRENMS SERVER TO QUERY ALL VLANS
access-list 106 permit udp host 10.1.6.61 any eq snmp
access-list 106 permit udp host 10.1.6.61 any eq snmp-trap
access-list 106 remark ALLOW SLB1/2 SSH/222, IPMI, DRAC ACCESS TO ALL VLANS
access-list 106 permit tcp host 10.1.6.39 any eq ssh
access-list 106 permit tcp host 10.1.6.40 any eq ssh
access-list 106 permit tcp host 10.1.6.39 any eq rsh-spx
access-list 106 permit tcp host 10.1.6.40 any eq rsh-spx
access-list 106 permit tcp host 10.1.6.39 any eq asf-rmcp
access-list 106 permit tcp host 10.1.6.40 any eq asf-rmcp
access-list 106 permit udp host 10.1.6.39 any eq asf-rmcp
access-list 106 permit udp host 10.1.6.40 any eq asf-rmcp
access-list 106 remark ALLOW RETURN OF NFS UDP TRAFFIC FROM TORRENTS TO VLAN10
access-list 106 permit udp host 10.1.6.199 eq sunrpc 10.1.10.0 0.0.0.255
access-list 106 permit udp host 10.1.6.199 eq nfs 10.1.10.0 0.0.0.255
access-list 106 remark ALLOW IPERF3 TRAFFIC TO/FROM VLAN 10
access-list 106 permit tcp 10.1.6.0 0.0.0.255 10.1.10.0 0.0.0.255 eq 5201
access-list 106 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 106 deny ip any host 10.1.6.1 log
access-list 106 deny ip any host 10.1.6.254 log
access-list 106 remark DENY INTER-VLAN TRAFFIC
access-list 106 deny ip any 10.1.1.0 0.0.0.255
access-list 106 deny ip any 10.1.2.0 0.0.0.255
access-list 106 deny ip any 10.1.3.0 0.0.0.255
access-list 106 deny ip any 10.1.4.0 0.0.0.255
access-list 106 deny ip any 10.1.10.0 0.0.0.255
access-list 106 deny ip any 10.1.20.0 0.0.0.255
access-list 106 remark ALLOW REMAINING TRAFFIC
access-list 106 permit ip any any
!
access-list 110 remark VIP VLAN GETS ACCESS ANYWHERE
access-list 110 permit ip any any
!
access-list 120 remark ALLOW DHCP
access-list 120 permit udp any any eq bootps
access-list 120 permit udp any any eq bootpc
access-list 120 remark ALLOW ANY ICMP
access-list 120 permit icmp any any
access-list 120 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 120 permit tcp any any established
access-list 120 remark ALLOW DNS REQUESTS TO PFSENSE
access-list 120 permit udp 10.1.20.0 0.0.0.255 host 10.1.20.254 eq dns
access-list 120 remark ALLOW NTP REQUESTS TO PFSENSE
access-list 120 permit udp 10.1.20.0 0.0.0.255 host 10.1.1.254 eq ntp
access-list 120 permit udp 10.1.20.0 0.0.0.255 host 10.1.20.254 eq ntp
access-list 120 remark ALLOW RETURN OF SNMP TRAFFIC TO LIBRENMS SERVER
access-list 120 permit udp 10.1.20.0 0.0.0.255 eq snmp host 10.1.6.61 gt 1024
access-list 120 permit udp 10.1.20.0 0.0.0.255 eq snmp-trap host 10.1.6.61 gt 1024
access-list 120 remark ALLOW HTTP/IPP/LPD/JETDIRECT TRAFFIC TO PRINTER
access-list 120 permit tcp 10.1.20.0 0.0.0.255 host 10.1.3.5 eq http
access-list 120 permit tcp 10.1.20.0 0.0.0.255 host 10.1.3.5 eq printer
access-list 120 permit tcp 10.1.20.0 0.0.0.255 host 10.1.3.5 eq ipp
access-list 120 permit tcp 10.1.20.0 0.0.0.255 host 10.1.3.5 eq 9100
access-list 120 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 120 deny ip any host 10.1.20.1 log
access-list 120 deny ip any host 10.1.20.254 log
access-list 120 remark DENY INTER-VLAN TRAFFIC
access-list 120 deny ip any 10.1.1.0 0.0.0.255
access-list 120 deny ip any 10.1.2.0 0.0.0.255
access-list 120 deny ip any 10.1.3.0 0.0.0.255
access-list 120 deny ip any 10.1.4.0 0.0.0.255
access-list 120 deny ip any 10.1.6.0 0.0.0.255
access-list 120 deny ip any 10.1.10.0 0.0.0.255
access-list 120 remark ALLOW REMAINING TRAFFIC
access-list 120 permit ip any any
Each ACL is numbered as 1${vlanid}
VLAN setup:
1 - Default - unused
2 - VoIP - no WAN access
3 - IoT - no WAN access - printers, cameras
4 - NAS/Gluster - no WAN access, no VLAN interface on pfSense)
5 - Management - access to all switch admin, pfSense, Proxmox hosts)
6 - App - VMs and other servers running various apps like MySQL, Apache, HAProxy, Deluged, monitoring software. Some with external access from WAN (HTTP/HTTPS)
10 - Trusted - My desktops, HTPC, laptop
20 - Untrusted - Guest wireless devices, cell phones, iPads, Smart TVs
Also, all the access-groups are in the "in" direction. Is this appropriate?
Code:
interface ve 2
ip access-group 102 in
ip address 10.1.2.1 255.255.255.0
!
interface ve 3
ip access-group 103 in
ip address 10.1.3.1 255.255.255.0
!
interface ve 4
ip access-group 104 in
ip address 10.1.4.1 255.255.255.0
!
interface ve 5
ip access-group 105 in
ip address 10.1.1.1 255.255.255.0
!
interface ve 6
ip access-group 106 in
ip address 10.1.6.1 255.255.255.0
!
interface ve 10
ip address 10.1.10.1 255.255.255.0
!
interface ve 20
ip access-group 120 in
ip address 10.1.20.1 255.255.255.0