Redundant rules ?
-
Have Lan Opt1 and Opt2.
Want to segregate Opt2, only internet access, but if it gets virus or owned damage is limited on Lan and Opt1.
When setting up rules there are many options:
-
block all outgoing messages interface Opt2:
source any
dest [Lan + Opt1] -
block outgoing messages interface Opt2:
source Opt2
dest [Lan + Opt1] -
block incoming messages to Lan 1 and Opt1:
source Opt2
dest [Lan + Opt1] -
block all incoming messages to Lan 1 and Opt1 :
source any
dest [Lan + Opt1]
What is the right way to segregate Opt2 and do you want to do it on both sides out and in or is one side sufficient?
The rules and if you apply to outgoing/ incoming and to any or specific is very confusing to me. As is what kind of Rules you put on Wan or from Lans to Wan.
Any help to clear up what the right way to think about this would be appreciated.
Thanks.
-
-
@srytryagn You need to make the rules on the interfaces where your hosts are connected - as an example, on LAN, if I've got a switch on that interface, and computers plugged into that switch, I would make rules on the LAN interface tab for these LAN machines. If you don't want LAN to access any of your other networks, you need to add a block rule above your default "allow LAN to any" rule. Make it specific - block LAN to OPT1, or block LAN to OPT2.
If you want to allow or block access on your OPT1 or OPT2 networks, you need to make the rules on those interfaces. To block the OPTx networks from accessing each other, or your LAN network, make specific block rules above your "allow OPTx network to any" rule. By the way, you need to make these OPTx rules by hand, since additional networks (OPT networks) that you add to pfsense won't have any default rules on them.
By the way, there are no "in or out" directions on interface firewall rules, only on floating firewall rules. You should first figure out how interface firewall rules work and test them. Then you can move on to floating firewall rules, if that is what you meant.
Hope that helps.
-
Not sure I understand your reply.
Eample: Opt2 talks to no one.
- Rule to block outgoing from Opt2 to Lan and Opt1, configured on Opt2 rules
OR
- Rule to block incoming from Opt2 to Lan and Opt1, configured on Lan1 and Opt1 rules
From above to accomplish goal do I need 1, or 2, or both ?
-
@srytryagn said in Redundant rules ?:
block all outgoing messages interface Opt2:
source anyHow would source be ANY into opt2 - the only traffic that could be source into opt2 is opt2
Such statements point to a lack of understanding of how the rules work on pfsense.
Traffic is evaluated as it enters an interface from the network its attached too..
The only source would be the same network, be that lan, or opt1 or opt2 - the only source would be lan into lan, opt1 into opt1 or opt2 into opt2
The only time you would have something other than the interface network as source is if you were using it as a transit network. And then you should really call out those cidrs for those networks and not any, etc.
@srytryagn said in Redundant rules ?:
both sides out and in or is one side sufficient?
So your going to do floating outbound rules on each interface?
The only place to do "outbound" rules on an interface is floating.
-
@srytryagn said in Redundant rules ?:
Not sure I understand your reply.
Eample: Opt2 talks to no one.
- Rule to block outgoing from Opt2 to Lan and Opt1, configured on Opt2 rules
OR
- Rule to block incoming from Opt2 to Lan and Opt1, configured on Lan1 and Opt1 rules
From above to accomplish goal do I need 1, or 2, or both ?
I think you need to understand that "Opt2 talks to no one" does not mean no one can talk to Opt2.
-
@johnpoz said in Redundant rules ?:
How would source be ANY into opt2 - the only traffic that could be source into opt2 is opt2
How, why could Lan not be a source sending traffic to Opt2 ?
& Yes you are right I do not understand how the rules work, despite reading manual it is unclear, at least to me.
-
@jarhead What if I want both Opt2 talks to no one in private/local networks and no one talks to Opt2 from other private/local...i.e/ Opt2 is segregated but can reach out to the internet.
-
Then you need the rule on OPT2 to prevent hosts there connecting to LAN or OPT1.
And you need rules on LAN and OPT1 to prevent hosts on those subnets connecting to OPT2.On the normal rules tab traffic is matched on the basis of connection coming into the interface from outside the firewall.
All traffic out of an interface is allowed.
The only exception to that being floating rules but you should avoid them unless you have no option (for your own sanity!).Steve
-
@stephenw10 Thanks that makes sense add both in that case!
However the statement "On the normal rules tab traffic is matched on the basis of connection coming into the interface from outside the firewall." Is not clear in my head.
What do you mean by into the interface from wan, from firewall into private lan ? What is outside the firewall and on what side ?
Very confusing, I am sure I am not thinking about this the right way around.
-
By 'traffic that is inside the firewall' I mean traffic in the router itself. So traffic that has been passed by a rule and allowed in on any interface. It is then routed to the appropriate interface for the destination and exits the firewall from that interface. By default all traffic is allowed to exit on any interface.
So traffic hitting the OPT2 rules for example can only have come from the OPT2 subnet. Traffic from hosts on other subnets, like LAN for example, can never hit the OPT2 rules becasue it only ever exits OPT2 and all outbound traffic is allowed.
See: https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
Steve
-
@stephenw10 Is it opposite for WAN ?
-
@srytryagn said in Redundant rules ?:
Is it opposite for WAN ?
No - works exactly the same way.. Traffic is inbound to the wan interface from the wan network.
Out of the box all unsolicited traffic into the wan interface is denied..
