Isolating wireless devices with firewall rules while using a private DNS server
-
I am trying to figure out a way to block traffic between devices on my wireless network from each other and my network hardware and PCs on my wired network. I tried the recommended firewall ruling in the pfSense documentation, using the RFC1918 rule, but I am currently using a pihole as my upstream DNS server and that has a private IP address assigned, which prevents my wireless devices from accessing anything through DNS.
I thought that if I put another rule above the RFC1918 rule it would override the latter and let traffic through from the one private IP assigned to the pihole, but it seems that no matter where I stick the RFC1918 rule it takes precedence and locks it all down.
Is there a way to set the firewall to block all traffic from private addresses except for a specified address? Or am I possibly going about this completely wrong? I just want to be able to quarantine devices but allow them to access the internet, and still be able to filter their traffic through the pihole.
Please help.
-
@sierrastar writes: "set the firewall to block all traffic from private addresses except for a specified address"
This sounds like you need to invest in a managed switch so you can have vLan's w/ tags and use the built-in unbound dns,
Use firewall aliases that could essentially eliminate the need for an upstream pihole..
I use separate aliases for DNS & NTP (each having NAT to localhost, for the pesky IoT's / tv's that want to use specific DNS)
So allow in/out only to/from chosen secure DNS & NTP servers of my choice.Hopefully helpful
-
On the AP side : Most AP have that option build in : it's called "AP Isolation".
On the client side : that's what 'public' network mode is all about on a Microsoft OS.Btw : the enforcement is done with firewall rules that uses the MAC address. Not the IP.
You can not block traffic between devices - on the same LAN - with pfSense.
-
It's funny because I got a managed switch specifically to set up VLANs for this purpose, but somewhere along the way I got it in my head that it wasn't the best option for this.
I can only assume you mean that I should separate the relevant parts of the network into their own VLAN and manage their firewalls separately which seems like a good thread to follow.
Thank you for pointing me in the right direction! -
@sierrastar you're welcome
[steps I followed]
one line out of LAN to Managed Switch that is connected to your devices
on switch setup devices w/ tagged ID'S (carefully read about the switch. it's security, mirroring, tap, QOS, etc.)
on pfsense LAN setup vLan's for the devices you connected using the tags you create at the switch.
each device is now separate and can be firewalled individually.at the general setup page ->DNS Servers: address=1.1.1.1 hostname=cloudflare-dns.com or use your own
create an alias named "dns_allowed" add the dns you want to use, e.g: 1.1.1.1
create a redirected port forwarded NAT -> https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlsetup unbound
(in unbound, I use TLS personally (port 883), forwarding, certificate generation and other are required)
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.htmlcreate firewall rules per vLAN (note vLAN's can contain just one or multi-devices)
make sure to add the port forwarded NAT rule above your DNS rules.seems like a lot but it's not really, best of luck!
-
@sierrastar said in Isolating wireless devices with firewall rules while using a private DNS server:
Is there a way to set the firewall to block all traffic from private addresses except for a specified address? Or am I possibly going about this completely wrong? I just want to be able to quarantine devices but allow them to access the internet, and still be able to filter their traffic through the pihole.
With pfSense you don't block from *-addresses but to *-addresses for the most part, so I guess you have a problem with your rules to begin with.
