netgate 5100

BlackBirdWilliams · May 18, 2022, 8:10 PM

Good Afternoon,

I have a work-from-home computer and would like to isolate it from my LAN devices.

I have a Netgate 5100.

All four physical ports are available with nothing plugged in. I also have express VPN and would like to have the work PC use this as well.

My idea is to be able to physically connect the Laptop to one of the available ports, be isoloated from the rest of the lan. While using the express vpn. I dont want my lan to connect to express VPN or have any connection to the isolated work network.

A little new to this and would greatly appreciate a guide as to how to establish this.

Thank you in advance,

BlackBirdWilliams

NollipfSense · May 18, 2022, 8:52 PM

@blackbirdwilliams This video will give you some ideas despite its DMZ, in your case you could call it workLAN (just an idea). You find out how to separate your work LAN from home LAN as well as how to communicate to your work LAN from your home LAN and firewall rules.

https://www.netgate.com/resources/videos-creating-a-dmz-on-pfsense

BlackBirdWilliams · Jun 16, 2022, 3:40 PM

@nollipfsense I’m embarrassed to admit this wasn’t really helpful, however, I truly appreciate the information. I think I need a more tailored guide to my specific solution. Still haven’t implemented my idea yet.

stephenw10 · Jun 16, 2022, 4:17 PM

You can definitely do that. You just need the correct firewall rules to isolate the subnets and polic based routing to make the connected hosts use the VPN.

What have you done so far?

Do you have the OpenVPN client configured?

Steve

SteveITS · Jun 16, 2022, 4:18 PM

@blackbirdwilliams Each interface is separated by default, and firewall rules control access. You can create one named LAPTOP for instance. Then set up rules like so:

LAN:
block from LAN Net to LAPTOP Net
allow from LAN Net to any [this is there by default]

LAPTOP:
block from LAPTOP Net to LAN Net
block from LAPTOP Net to This Firewall port 443 [don't block DNS]
allow from LAPTOP Net to any

BlackBirdWilliams · Jun 16, 2022, 7:43 PM

This post is deleted!

BlackBirdWilliams · Jun 16, 2022, 7:44 PM

@stephenw10I have an IP range of my home LAN as 192.168.1.0/24. I enabled the opt1 phical port and renamed it to worklan and gave it a range of 192.168.55.0/24. Enabled DHCP to give out ip's at a range of 192.168.55.100 - 192.168.55.200.

However I think my firewall rules are wonky. I can ping from my laptop on the regular lan to 192.158.55.1.

This is a link to the rules https://ibb.co/vjCFZLm

I followed a guide and tried to cutomise it however, I do not think this is correct. I would like to isolate my LAN from my worklan and isolate worklan from LAN. Then have that worklan be connected to the express VPN.

akuma1x · Jun 16, 2022, 8:15 PM

@blackbirdwilliams Your rules are setup incorrectly. To setup the isolation of one network from the other, here's what you want to do.

Make a new rule on the WORKLAN network, move it all the way up to the top of the list.

Action: Reject or Block - either one will work
Interface: WORKLAN
Address Family: IPv4
Protocol: any
Source: WORKLAN net
Destination: LAN net
Description: give it a good name here
SAVE

And you're done with that one. Make another rule, move it all the way down to the bottom after you are finished making it.

Action: Pass
Interface: WORKLAN
Address Family: IPv4
Protocol: any
Source: WORKLAN net
Destination: any
Description: give it a good name here
SAVE

And you're done with that one. The three rules you've already got in that WORKLAN interface you can disable for now, they are not necessary. You might want to reboot your pfsense box now, just to make sure everything in the firewall rule section sticks and states are reset.

To use the ExpressVPN connection on your WORKLAN network, you first have to get that setup as a new gateway on your pfsense box. Do you have that already done? We can work on that in a different response, later.

To get your LAN network working, and to block it from accessing the WORKLAN network, you would make the same 2 rules above, on the LAN network, just use LAN net as the source and the WORKLAN net as the destination. Make sense?

When you've got these rules created and the 2 network's firewall rules all cleaned up, put up some more screenshots, so we can see if everything is all setup properly. Also, you don't need to use an external site to host your screenshots, you can do that here on the forum. That way, nobody has to click a link and open another site just to see your images.

Hope that helps!

akuma1x · Jun 16, 2022, 8:12 PM

@blackbirdwilliams This looks to be a good page for setup instructions for ExpressVPN and pfsense. I don't know for sure, since I don't use that particular service on pfsense.

https://techshielder.com/how-to-setup-and-use-expressvpn-on-pfsense

stephenw10 · Jun 16, 2022, 8:17 PM

Surprisingly that guide looks pretty good. Most are bad.

BlackBirdWilliams · Jun 16, 2022, 8:47 PM

@akuma1x I truly appreciate the help! I have followed your guide to setup the rules on the worklan.

However, I'm a little confused as to what I should add on the LAN rules side.
Action: Block
Interface: LAN
Address Family: IPv4
Protocol: any
Source: LAN net
Destination: WorkLAN net
Description: give it a good name here
SAVE

Is the above rule correct? What would be the second rule for the LAN side?

BlackBirdWilliams · Jun 16, 2022, 9:10 PM

@blackbirdwilliams Also, I have openvpn setup to allow me to remote into the lan. Will this cause issues with setting up express VPN on the worklan side of things? BTW the Block rule I have added on the lan side, stops the ping from going through from the lan to worklan! Seems like it works after all! This is great.

Now I just need a little more guidance as to how to get express on the worklan. I have backup my settings at this point, just in case everything crashes and burns when I try to tweak the guide to fit my setup. Will keep you posted. Any tips would be greatly appreciated. Thank you for the help thus far!

BlackBirdWilliams · Jun 16, 2022, 9:21 PM

@blackbirdwilliams

Would I change number 6. Interface to worklan? I don't want the express VPN to be on the LAN side. Not too sure how to customize this.

akuma1x · Jun 16, 2022, 9:38 PM

@blackbirdwilliams Here's what you setup on the LAN network:

Make a new rule on the LAN network, move it to the top, right under your anti-lockout rule.

Action: Reject or Block - either one will work
Interface: LAN
Address Family: IPv4
Protocol: any
Source: LAN net
Destination: WORKLAN net
Description: give it a good name here
SAVE

And you're done with that one. Make another rule, move it all the way down to the bottom after you are finished making it.

Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: any
Source: LAN net
Destination: any
Description: give it a good name here
SAVE

That second LAN rule should technically already be there, created automatically when pfsense is first setup. If you look at your LAN rules right away, after a fresh install, it says "Default allow LAN to any rule". It's rule number 2 in this screenshot:

So, long story short, sorry... If you simply create the first rule above (the LAN block rule), and move it into position #2 on your LAN network, you'll be all good to go.

Again, put up some screenshots, if you're comfortable with that, so we can check your rule settings.

stephenw10 · Jun 16, 2022, 9:39 PM

@blackbirdwilliams said in netgate 5100:

Would I change number 6. Interface to worklan?

No. The OpenVPN client has to connect out of the WAN.

As long as you have set 'do not pull routes' as shown in step 40 there nothing should change.

Once you have that up you need to:
Assign the OpenVPN client as an interface. This will give you a gateway to route to.
Make sure the firewall default route is still via the WAN dhcp gateway. In System > Routing > Gateways, make sure the default gateway is set the WAN_DHCP not automatic.
Add policy routing to the pass rule on WORKLAN to make that traffic go via the VPN.

See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html

Steve

BlackBirdWilliams · Jun 17, 2022, 8:01 PM

@akuma1x I think I'm good to do with the rules. Here is a screenshot of the LAN side and worklan.

BlackBirdWilliams · Jun 17, 2022, 8:06 PM

@stephenw10 I have an OpenVPN rule on my wan side to allow me to remote in. Will this interfere with anything on the express vpn side?

If I follow the guide for express VPN to the T, wont that enable the VPN for all of the LAN? I want to keep the LAN coming out of my regular ISP. However, have the worklan only use the VPN.

Could I get a little more explicit guidance?

I truly appreciate your help!!!

akuma1x · Jun 17, 2022, 8:07 PM

@blackbirdwilliams Yep, that's it, looks good!

So, the ExpressVPN connection you're working on will go in your WORKLAN rule, in the "to outside" rule. When your VPN settings are all done and working, you simply add the VPN connection as your gateway in that rule, like @stephenw10 commented just above.

akuma1x · Jun 17, 2022, 8:12 PM

@blackbirdwilliams said in netgate 5100:

Could I get a little more explicit guidance?

Here's a good video that walks you thru using a VPN service as a pfsense client to send a network (or a single machine, or an alias of machines) out a VPN connection.

https://www.youtube.com/watch?v=sGif5rXE3Ps

BlackBirdWilliams · Jun 17, 2022, 8:34 PM

@akuma1x Great Video! I'm going to give it a shot now. Will keep you posted. Thank you for your time!