Netgate 2100 and any any rules questions
-
^ exactly I would for sure segment such devices from the rest of my network. Especially if I was going to allow it to create a tunnel that bypasses all the firewall rules anyway to the public internet.
-
@johnpoz
Created a VLAN
But no traffic I have static assigned ip addresses for them.
-
No traffic at all is probably a layer 2 issue.
How do you have the VLAN configured in pfSense? What is it connected to?
-
The Lan
Make sure to upvote
-
Ah, I forgot this is a 2100.
So OPT1VLAN20 is assigned as mvneta1.20?
How is the switch configured?
How is your AP connected?
Steve
-
@jonathanlee said in Netgate 2100 and any any rules questions:
The Lan
The information overload is too much..
-
-
Got it VLANS won't work with my Wifi as it does not have the ability to make 2 SSIDs with different IP addresses. I found a workaround I create a new subnet within a different range manually and assign the IPs in a different ranges and create new alias for both the new Xbox IP addresses and LAN subnet outside of the DHCP range and let that be a inverted match. For rules Class B with 192.168.1.1/16 and the wifi on 192.168.1.2 with the Pfsense at 192.168.1.1, and the DHCP pool only issues for 192.168.1.1/24 from 192.168.1.1-.50 and static set the 192.168.20.10, .11 for both the Xboxes. So they are in a different subnet of 192.168.1.20/24 Now you can break up the firewall rules within the IP ranges. And I can statically assign IP addresses outside of the POOL on the DHCP interface because it sees the Class B network mask and allows the outsiders.
After set the rules for groups of IP addresses and make your new rules. My fear is the https with any now. However the Xbox ports can not access my lan.
-
If you don't have other devices on WIFI or don't need wifi to be part of the LAN layer 2 segment (for device discovery) you can still separate it onto a different interface.
-
Thanks for the information!!
-
Updated Rules With Negated Subnets with Logs on blocks
Aliases for Xboxs 192.168.20.1/24 network
Lan subnet 192.168.1.1/24
Mail Aliases with DNS use
Mail Aliases with DNS use updates automagically
-
@jonathanlee huh?
If your xbox group has IPs that part of the lan.. A lan device talking to them wouldn't talk to pfsense to talk to the xbox IP.. So those rules are meaningless in preventing lan net from talking to a group of IPs on the lan.
If xbox is a different vlan, then these rules make no sense on the lan
Because those IPs would never be source of traffic into the lan interface..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Mmm, indeed the xbox group is not separated from the LAN subnet.
-
@johnpoz Yes they are on a different network same subnet 255.255.255.0. However 192.168.20.0/24 for the game systems the LAN side is on 192.168.1.0/24 for desktops. They do work and it shows traffic for both rules. They can not talk with the lan devices also as it is a different network. The DHCP only issues Ip addresses in 192.168.1.1/24 network with a pool of 192.168.1.1-192.168.1.4 so all the devices are auto assigned in 192.168.1.1 network. The XBOX systems are static and set as 192.168.20.10 within 192.168.20.0 network 192.168.20.1/24 and 192.168.1.1 are different networks cider of /24 will not pass traffic from 192.168.1.1 to 192.168.20.1 so I can make custom rules. This block of IP address is works it has access and is assigned to the game systems. Different networks 192.168.1.1 and 192.168.20.1 same subnet 255.255.255.0 the 3rd octet is all ones on both networks.
-
They can get out 443 but "not talk to each other." Yes both can access port 443. My goal was "no tunnels with that port" from one to another so negated reverse rules.
You can see traffic when they run but nothing when they are off.
-
@jonathanlee your running multiple layer 3 on the same layer 2..
You do you dude - I don't help people bork up stuff.. That is just borked.
Where in NIST does it say you should do that ;) Your not actually isolating anything..
Its like telling your kids to stop talking to each other in the same room ;) If they want to talk to each other they can.. Only thing stopping them is you told them not too..
-
Thanks I fixed it I forgot the source side of things I made a new group with just Lan hosts and inverted the match.
-
I see subnetting like creating cubicles. As long as you have them your good, however yes if I just had LAN everything that is bad. Thanks for pointing that out. No Any Any rules.
