Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable all packet filtering interface locking

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tonybutler
      last edited by

      If we were to set 'disable all packet filtering' would we still be able to lock it so the web interface side was only available on a certain interface, from a certain IP given packet filtering is disabled?

      Ref: "Disable Firewall

      When Disable all packet filtering is set, the firewall becomes a routing-only platform. This is accomplished by disabling pf entirely, and as a consequence, NAT is disabled since it is also handled by pf.

      https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html "

      1 Reply Last reply Reply Quote 0
      • T
        tonybutler
        last edited by

        Hi Does anyone have any idea if we can achieve this. We want to lock the the PF web interface to one NIC interface ?

        Cheers

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @tonybutler
          last edited by johnpoz

          @tonybutler The gui does not allow you to set which interface the gui listens on - it listens on all IPs.

          Why would you not just turn off nat and make your rules any any if you just want to route - this would leave you with the ability to firewall for example the gui, ssh. And other things that might come up where firewall rule would make your life easier.

          If your wanting to disable pf for performance issues - it would seem to me the box is undersized for what your wanting to do with it.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          J 1 Reply Last reply Reply Quote 0
          • J
            jacklloyd @johnpoz
            last edited by

            Thanks @johnpoz . I work with @tonybutler and know what the challenge he’s describing is. Your solution sounds a good one, I was just hoping i could run it by you once more with a bit more context?

            We've been given a wires only Internet circuit by a provider and they've provided us with normal up-link details (a /29 subnet). We asked for a /27 block for our own external services and need to run/route this as a separate interface ourselves given it’s a wires only deployment (No managed router) Aka in a PFSENSE world: “WAN” uplink is the /29 and our "LAN" is the /27 we requested - For refence, all of these addresses are public, non-RFC1918 addresses.

            Just for total clarity, are you suggesting we configure the "WAN" with the /29, the "LAN" as the /27, Deploy an any-any from the LAN to the WAN (would we need one from the WAN to the LAN too?) with NAT disabled to allow full flow of traffic for normal routing to the Internet?

            A big challenge we face is how do we keep the pfsense locked to our network for administration given this would be an Internet router. I'm thinking we could just create a third interface on the PFSENSE in question to be on our corporate LAN and put the usual HTTPS/443 access rule entry in to allow access to the WEB UI? Do you see any security problems with that?

            The PFSENSE routing overhead won't be a problem here, it'll be going on HP Proliant Server hardware.

            Thanks again for your help.

            Jack.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @jacklloyd
              last edited by johnpoz

              @jacklloyd said in Disable all packet filtering interface locking:

              A big challenge we face is how do we keep the pfsense locked to our network for administration given this would be an Internet router.

              Not sure why - your "admin" stuff shouldn't be on this routed /27 your getting. That should be setup on its own interface.. All your normal network stuff and admin machines, etc. should be on your normal internal networks..

              These networks could be downstream even from pfsense, if it is at the edge..

              Running a routed public network behind pfsense as the router/firewall is really no different than running an rfc1918 network - other than you don't nat.. What other networks in play behind pfsense really have little to do with that.. Those could be rfc1918 network, they could be other routed networks, etc.

              the "LAN" as the /27

              I wouldn't really put the /27 on the pfsense "lan" it should be some other opt network you create. Pfsense "lan" is better suited for your internal "admin" network.. Since it defaults to having the antilock out rule on it.. Which makes it better suited for admin network if your going to run more than one lan side network. Be it those networks are rfc1918 and natted or public and not natted.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              J 1 Reply Last reply Reply Quote 0
              • J
                jacklloyd @johnpoz
                last edited by

                @johnpoz That's great.

                What we'll probably do then is just manage the PFSENSE with an IP Lock from our other Internet connections on the /27 LAN interface for this. This would mean this PFSENSE isn't physically connected to our network then and is just an edge router for our other firewall to uplink to.

                The ISP has given us (See below) this to use if the edge device was a Cisco router, how would we create this on the PFSENSE? Do we just create VLANS with the same ID on the VLANS tab of PFsense and assign them to the appropriate network interfaces?

                Interface gi0/0/0.100
                Description WAN
                ip address YYY.YYY.YYY.YYY 255.255.255.254
                encapsulation dot1q 100

                Interface Gi0/0/1
                no shut

                interface gi0/0/1.800
                Description LAN
                ip address XXX.XXX.XXX.XXX 255.255.255.224
                encapsulation dot1q 800

                ip route 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY (another predefined address on the WAN subnet, cleared out for security)

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @jacklloyd
                  last edited by johnpoz

                  If your wan connection is coming in on a vlan, then yeah you would setup pfsense wan to use that vlan. But if this other /27 is on some other vlan - then its not actually routed - and is directly attached.

                  Or you sure you can run the "lan" side network on any vlan you want to run through your switching infrastructure.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.