Isolate VLAN but pass DHCP & Internet?
-
I have created an IOT VLAN that I want to isolate but still be able to pass DHCP and Internet. Is this rule set correct for that?
I've plugged a laptop into this vlan and it gets assigned the correct IP, can't ping the other interfaces but can ping the internet and 192.168.1.1 (pfsense) but can't browse to the pfsense gui.
Should I also add rules on the other interfaces blocking access to the IOT VLAN?
-
For what possible reason would you block bogon on your own local network?? Completely pointless.
You don't need the dhcp rule - once you enable dhcpd in pfsense hidden rules are created to allow it to serve dhcp.
Your only blocking tcp to lan net. So say udp (dns) or icmp would still work.. But you block all to camnet.
What would be the point of blocking iot vlan.. Devices onthe iot vlan don't talk to pfsense to talk to their brothers and sisters. While you would not be able to get to the lan pfsense IP to access the web gui of pfsense. There is no rule stopping you from talking to say the iot net pfsense IP and the web gui.
-
For what possible reason would you block bogon on your own local network?? Completely pointless.
Checked it out of habit, will remove.
You don't need the dhcp rule - once you enable dhcpd in pfsense hidden rules are created to allow it to serve dhcp.
Hmm, well, if I dont have the rule the laptop does not get assigned an IP. When I add the pass rule it then does get assigned an IP.
Your only blocking tcp to lan net.
That was a mistake, changed to block all
What would be the point of blocking iot vlan.. Devices onthe iot vlan don't talk to pfsense to talk to their brothers and sisters. While you would not be able to get to the lan pfsense IP to access the web gui of pfsense. There is no rule stopping you from talking to say the iot net pfsense IP and the web gui.
Point is to stop any communication to or from the interfaces to/from the IOT interface but allow it to connect to the internet. I dont care if the devices on theIOT vlan talk to each other, just dont want them to talk to, say, my desktop computer on my LAN. I browsed to the pfsense web gui from the laptop, and it could not reach the gui.
-
"Hmm, well, if I dont have the rule the laptop does not get assigned an IP"
That could be issues with blocking bogon messing with dhcp.. There is zero reason to block bogon on a local interface - and for that matter almost zero to do it on a wan interface ;) Wan is default deny all, so you would only be blocking "bogon" from accessing your open ports or forwards. Then again bogon do not route on the internet anyway.. So exactly how much traffic would you think you would see on such a rule. And it could only be coming from your local isp anyway..
While is common practice from days gone by.. It really is a kind of pointless block in most setups.
You browsed to what IP from your laptop to try and get to the gui. The web gui would be listening on the iot pf IP.. and you have not rule that would stop that. There is also no rule that would stop you from hitting your wan IP and accessing the gui.
You also understand that your dhcp rule would only allow direct traffic to 192.168.1.1 - a dhcp discover is a broadcast.. So that rule wouldn't be allowing anything. So whatever you believe the issue was with dhcp - that rule isn't isn't actually doing anything.
-
That could be issues with blocking bogon messing with dhcp
Looks like that was it. I removed it as well as the "pass dhcp" rule and it now gets an IP
You browsed to what IP from your laptop to try and get to the gui.
192.168.1.1, the IP of the pfsense box.
There is also no rule that would stop you from hitting your wan IP and accessing the gui.
How can I test that?
-
well look on pfsense - what is its wan IP? Hit that in your browser on the port you have your gui listening on, etc.
-
So removing all allow any rules on a lan we don't need to pass UDP on ports 67 & 68 for DHCP so long as dhcpd is running?
-
@pfbasic.. when you enable dhcpd on an interface in pfsense. Yes it creates rules that you can not see in the gui that allow dhcpd to function.
You can view these rules if you want via cmd line.
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_rulesetEven if you just running a dhcp relay these rules are auto created.. Could you see the amount of forum traffic it would create if users had to create rules for dhcp to function ;) While would like a way to show all rules… Sometimes its best not to confuse new users ;)
-
That is very cool, thank you! I guess I'll go delete that rule haha.
-
well look on pfsense - what is its wan IP? Hit that in your browser on the port you have your gui listening on, etc.
I could not reach the gui at the WAN IP from the VLAN.
-
Then you did it wrong. There is nothing in those rules blocking the same. The traffic will be passed by the last rule.
-
So you either altered your rules, or went to wrong IP or port. There is nothing in those rules that stops a box on the opt net from talking to any port it wants on the firewalls opt net interface, or the wan IP via optnet.. So yeah your going to be able to hit the pfsense web gui, ssh to pfsense, etc.
-
Here is what I did.
-
Plugged laptop into correct vlan port on switch (laptop received correct IP, 192.168.20.5)
-
Browsed via Chrome to my public IP supplied from ISP on the correct port
-
Browser could not reach the gui
Could it be because I have the "Block private networks and loopback addresses" and "Block Bogons" options checked on the WAN interface?
-
-
I've added this rule to block the WAN. I've tried to browse to the WAN IP and it cant reach it..
-
Just pass the specific things on the firewall you want them to be able to access (like DNS) then block any to This Firewall (self).
-
Does that last pic of the rule set achieve what I'm after? Blocking IOTnet from everything except the internet? That's all I'm trying to do.
It seems like it does based on trying to access things from the laptop when plugged into the IOT vlan port.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
-
This firewall (self) makes more sense as the destination of your last rule than WAN net.
As soon as I switch it to "This Firewall (self)" devices on IOT loose internet connection fyi…
-
Well post up your current rules.. Yes if you block access to the firewall before you allow for dns say then no the internet is not going to work if your using pfsense for your dns.. Or if you running a proxy and block access to the firewall before you allow the proxy port, etc. etc.
Rules are evaluated top down as traffic enters the interface, first rule to trigger wins and no other rules are evaluated. If the traffic is not allowed then it hits the default deny and would be blocked.
-
I've added the DNS NAT forward & rule that I did on the LAN interface (from the Squid setup post: https://forum.pfsense.org/index.php?topic=112335.0) to this interface as well. The devices are reaching the internet now.
If there is a better way of forcing all devices to use pfsense for the DNS (I'm using the DNS resolver) please let me know..
edit: found this: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
