Block all access except one port
-
Hello all,
I am looking forward to buy NetGate 2100 firewall, but I am not yet sure if this firewall can do the following thing:
I have a home network as described in the bellow photo.
What I want to achieve is the following:- Any IP address in 192.169.10.xxx range should NOT have access to the internet except
- Any IP address in 192.169.10.xxx range should have only the port 587 on TCP open and only as output.
- In order to access the NVR, the firewall should act as an OpenVPN server allowing me inside the home network.
- Any other devices from the internal network should not have any restrictions from the internet.
Is the NetGate 2100 + pfSense firewall capable of doing this? If the answer to the previous question is yes, then can someone briefly describe on which settings (menus) should I look, after purchasing the product, in order to achieve what I want.
P.S. With the current setup I have (current picture except firewall), I am able to achieve point 1,3 and 4, but because my router completely blocks the NVR from the internet, the NVR is not able to send notification emails to my mailbox.
-
@mitrynicolae
No, pfSense cannot control access of particular devices which resides behind two other routers doing masquerading.
pfSense needs to know the IP addresses of the devices it should restrict access. So you will need another network design to achieve this.What's the sense of the other routers?
Replace them with L3 switches and set up VLANs, so you can control all traffic with pfSense. -
@viragomann said in Block all access except one port:
What's the sense of the other routers?
The main router is currently the input point of my ISP and also has 10+ devices connected to it: laptops, TVs, other home appliances and so on. The secondary router (although I had the possibility to set it up as a repeater, I did not) also have 5+ devices connected to it. Also both routers of course have wireless connection.
In the same time my goal is not to change the entire home infrastructure, just for one output port, but instead with the minimum investment to do this.
What if I change the network design and I connect both routers and the NVR directly into the Firewall?
-
@mitrynicolae said in Block all access except one port:
What if I change the network design and I connect both routers and the NVR directly into the Firewall?
Ding Ding Ding - Correct answer ;)
With your wifi routers being used as just AP.. Segment your network with your firewall.
-
@mitrynicolae said in Block all access except one port:
The main router is currently the input point of my ISP
If it is necessary for the internet connection you cannot put another router in front of it.
I'd recommend to separate computers and laptops from 'dumb' devices like TVs of IoT by network segmentation.
The Netgate 2100 provide 4 LAN ports to achieve this. You can also connect simply L2 switches to it for spreading the subnets.Yes, you should configure the wifi router as AP if you want to connect different devices to it. In router mode pfSense sees only the routers IP, but not the devices connected to the router.
-
@mitrynicolae said in Block all access except one port:
NVR directly into the Firewall?
This could be connected to the same AP as your cameras, no need to directly connect it to the firewall.
As mentioned by @viragomann either switches, or the ports on an AP connected to a firewall interface would be in the same network.
-
First of all, thank you all for your help.
Second, I don't have enough knowledge about networks (especially firewalls) and I was under the impression that the firewall will monitor every data package that will go through it and will act like a small "bridge" between two networks, saying: "aha, this package comes from 192.169.10.xxx. You shall not pass!!! (to quote Gandalf)"
Now you made me understand that actually the firewall inspect its lan ports (with all the subnet) and I can put some rules on that lan port. But in order for the firewall to be able to put some rules on an IP, the firewall should directly see (communicate with) that IP.In this scenario. Can the NetGate 2100 act as a router, to receive the PPOE internet connection, and also to block a certain subnet based on the rules described above?
-
@mitrynicolae said in Block all access except one port:
You shall not pass!!! (to quote Gandalf)"
But your downstream routers are natting the traffic so it looks like it comes from the router. in your drawing.. All traffic would look like it comes from your main routers IP connected to pfsense, whatever your internal network..
I also assume you have some typos there, or are you really using 192.167 and 192.169 address space?? Those are public ranges.. Not rfc1918 space..
Also from that drawing I would assume your NVR is routing and natting? you have 192.167 address on one side of it and 192.169 on the other side?
Think of it this way, pfsense nats traffic behind it to look like it comes from the ISP IP.. how would you isp block the 192.168 networks behind pfsense when all they see is the IP they gave you - most likely a public one.
Now you could stop ALL devices from going to say port 443, but you can not stop IP address 192.168.1.100 for example from going somewhere but allowing 192.168.1.101 because pfsense in your setup isn't seeing those devices IP, only the IP of the main router connected to pfsense.
The way you have that network drawn - your going to have a impossible time trying to filter anything downstream of pfsense. Because from your drawing I would assume your natting 3 different times before pfsense sees the traffic. If you want to filter and prevent device X from going somewhere, pfsense needs to be able to see the IP that device X is on. You need to redo your network to allow for what you want.
-
@johnpoz said in Block all access except one port:
are you really using 192.167 and 192.169 address space?? Those are public ranges.. Not rfc1918 space..
Yes, I am really using those, but because it is a private network I didn't mind too much about international regulations.
@johnpoz said in Block all access except one port:
your NVR is routing and natting? you have 192.167 address on one side of it and 192.169 on the other side?
Yes it does this.
I just got an ideea. How about I configure both routers to act as access points instead of actual routers. This way, the Firewall should see all the devices in my home as being part on the same subnet (even if they are chained as in the above picture), and then based on the logic above I should be able to:
- stop NVR trafic from going outside, except the specified port
- configure an OpenVPN server to be able to see the entire home devices from outside
What do you think? Should this work? (I don't want to make any other physicals connections between devices, because they are in different location of my house and I don't want to renovate any time soon .)
-
@mitrynicolae said in Block all access except one port:
I didn't mind too much about international regulations.
Its not that - but what if you happen to want to actually go to something on the public that has that network range..
There is plenty of rfc1918 space to choose from, using some public IP range makes no sense.. Your just going to shoot yourself in the foot when you can't figure out why www.something.com you want to load doesn't work..
I just got an ideea
Oh you mean like stated back 2 hours ago
With your wifi routers being used as just AP.
-
@johnpoz said in Block all access except one port:
I just got an ideea
Oh you mean like stated back 2 hours ago
Let me rephrase. I just understand your ideea .