Multiple interfaces: Rules configuration?
-
In a setup where we have many interfaces defined in pfSense (we have 6 now, but will add many in future), we need some clarity on how the firewall rules work.
To use one particular interface as an example. VO_PUBLIC
VO_PUBLIC is a routed /28 public ip subnet. So we add a rule under the VO_PUBLIC tab and tell it to allow traffic to some ports. However, the default deny rule, the last rule on the WAN tab, blocks the traffic.
Is the VO_PUBLIC tab only to define rules for outgoing traffic on that network? It's after all a public routed subnet, so I would expect to be able to place all the rules that apply for the network (ingress and egress) in that tab.
Some clarity would be appreciated very much.
-
@lifeboy Firewall rules apply to packets arriving on that interface. Packets from a PC on VO_PUBLIC going towards the Internet use the rules on VO_PUBLIC. Packets from the Internet going towards VO_PUBLIC (arriving on WAN) use the rules on WAN.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@lifeboy Rules always apply to inbound traffic, only floating rules can be applied to outbound traffic, both directions actually.
You need to understand, inbound traffic is traffic from the directly connected network to it's interface. Outbound traffic is traffic from the firewall to the directly connected network on that interface. IE, LAN inbound is traffic from devices on the LAN interface, and is always where rules on the LAN interface will be applied. LAN outbound is traffic from the firewall (could be WAN, other OPT's etc) to the devices on the LAN interface.
-
@steveits, I think I have figured that, yes, although it seems somewhat counter intuitive to me. (May be it's my lack of exposure to other types of firewalls?).
Question: So if I set a separate gateway for a subnet (like VO_PUBLIC in this case). would I then have a separate set of rules for that subnet, apart from the rules set for the WAN interface? In other words, if I have multiple gateways, I have multiple sets of rules, right?
Would that not be a better/neater way to configure a multi-tenant environment?
Or should I set up a different pfSense virtual instances, once (two) for each tenant? In that way I could even give the tenant read access to their pfSense, so they can view their config (for those tenants that are so technically inclined?
-
@jarhead, that makes sense to me, reading what you have written. Thank you.
-
@lifeboy said in Multiple interfaces: Rules configuration?:
it seems somewhat counter intuitive to me. (May be it's my lack of exposure to other types of firewalls?).
You know, there was a long thread a few months ago with someone who had the exact same comment. It may be because some firewalls have one list of rules for both in and out?
Question: So if I set a separate gateway for a subnet (like VO_PUBLIC in this case). would I then have a separate set of rules for that subnet, apart from the rules set for the WAN interface? In other words, if I have multiple gateways, I have multiple sets of rules, right?
The word "gateway" may be confusing me as that's a routing term. But each interface needs its own rules. Floating rules that apply to all interfaces exist but have plenty of caveats such as how the rules are matched.
Or should I set up a different pfSense virtual instances, once (two) for each tenant? In that way I could even give the tenant read access to their pfSense, so they can view their config (for those tenants that are so technically inclined?
It may depend on the setup/use case, but I suppose yes one could have one router per tenant, perhaps with a "parent"/outside router to which they all connect.
If these are separate tenants one challenge with multiple interfaces is blocking traffic to other interface networks. For example if VLAN1 should not talk to VLAN2 that can be blocked, however if VLAN3 is added later then 1 and 2 need a rule to block traffic to 3. Or have one rule that blocks traffic to all RFC1918 subnets, with any exceptions above it.
-
@steveits Thanks for the feedback!
We'll sit down and do some planning on how to best take this forward.
