Netgate 2100 and any any rules questions
-
You can also just enter the FQFNs in the alias and pfSense will resolve them periodically for you.
Where that will fall down is for something that can resolve to a large number of IPs like mail.google.com. The alias will only ever contain the IP it resolved to at the time pfSense generated the ruleset. Anything that doesn't use pfSense for DNS, like something hardcoded for 8.8.8.8 for example, might get a different IP and then be blocked.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#using-hostnames-in-aliases
Steve
-
Thanks for everyone that helped me on this.
I have updated the ACLs and it is working perfectly all day. I had to add the main and backups for each email type and it worked. I just did not want tunnels on my network and to make the rules more specific. Each day I am trying to make it more secure.Thank you. This is solved.
-
@jonathanlee said in Netgate 2100 and any any rules questions:
Each day I am trying to make it more secure.
But not aware of anything going on that shouldn't - your still not logging your deny you put in. So your not going to log anything trying to be done on tcp/udp..
And your xbox(s) are still being allowed to tunnel out, and therefore bypass any firewall rules you might put in place - how is that secure?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Mmm, moving consoles to a different interface would be more secure. Assuming traffic between the subnets is blocked.
Physically wiring that could be a problem.Steve
-
@stephenw10 if it's Bridged to a wifi connection can I do that with a VLAN still? I could make a different subnet however the Wifi system handles the connections before the firewall. The way it is set up now only the 2 consoles IP address can use those ports, and nothing else. I need the Xboxes to run and they require those ports open. I want to do a VLAN I should look into creating one and only adding the XBOXs.
-
@stephenw10 I use to have a Ethernet over AC devices but they made way to much noise for my shortwave radios that I get global news with so I had to disconnect them.
-
-
@jonathanlee it logs default deny out of the box ;)
Your default deny there on the bottom is pretty pointless.. Unless you wanted it on purpose not to log traffic that the default deny already does..
But sure if you want a rule in the gui to "see" for your default deny, that is a better way to do it - any rule with logging.
-
Do you have other things on WIFI?
I would look at creating a separate SSID for the xboxes and connecting that with a VLAN if your access points support it.
Steve
-
^ exactly I would for sure segment such devices from the rest of my network. Especially if I was going to allow it to create a tunnel that bypasses all the firewall rules anyway to the public internet.
-
@johnpoz
Created a VLAN
But no traffic I have static assigned ip addresses for them.
-
No traffic at all is probably a layer 2 issue.
How do you have the VLAN configured in pfSense? What is it connected to?
-
The Lan
Make sure to upvote
-
Ah, I forgot this is a 2100.
So OPT1VLAN20 is assigned as mvneta1.20?
How is the switch configured?
How is your AP connected?
Steve
-
@jonathanlee said in Netgate 2100 and any any rules questions:
The Lan
The information overload is too much..
-
-
Got it VLANS won't work with my Wifi as it does not have the ability to make 2 SSIDs with different IP addresses. I found a workaround I create a new subnet within a different range manually and assign the IPs in a different ranges and create new alias for both the new Xbox IP addresses and LAN subnet outside of the DHCP range and let that be a inverted match. For rules Class B with 192.168.1.1/16 and the wifi on 192.168.1.2 with the Pfsense at 192.168.1.1, and the DHCP pool only issues for 192.168.1.1/24 from 192.168.1.1-.50 and static set the 192.168.20.10, .11 for both the Xboxes. So they are in a different subnet of 192.168.1.20/24 Now you can break up the firewall rules within the IP ranges. And I can statically assign IP addresses outside of the POOL on the DHCP interface because it sees the Class B network mask and allows the outsiders.
After set the rules for groups of IP addresses and make your new rules. My fear is the https with any now. However the Xbox ports can not access my lan.
-
If you don't have other devices on WIFI or don't need wifi to be part of the LAN layer 2 segment (for device discovery) you can still separate it onto a different interface.
-
Thanks for the information!!
-
Updated Rules With Negated Subnets with Logs on blocks
Aliases for Xboxs 192.168.20.1/24 network
Lan subnet 192.168.1.1/24
Mail Aliases with DNS use
Mail Aliases with DNS use updates automagically
