Firewall rules for creating a Dedicated Management Interface?
-
@johnpoz said in Firewall rules for creating a Dedicated Management Interface?:
The gui dashboard is available on all IPs pfsense has.. If you created a new IP of 10.10.10.10 you would be able to access it on that IP.
OK, that's new information. So I tried (with my laptop set for a static IP of 10.1.1.6) to go to http://10.10.10.10 - and sure enough, I get the login page for the dashboard. So why can't I access the dashboard at 10.10.10.10 when I give the laptop a static IP of 10.10.10.11? The only rules I have are those listed in my second post. I don't get it.
Now that address brings to mind pfblocker vip that it uses that I believe is that 10.10.10.10 address..
This could be causing you problems..
Since I can access the dashboard at http://10.10.10.10 when my laptop has a static IP of 10.1.1.6, I think that rules out problems/issues with pfblocker vip - which I'm pretty sure isn't even installed. There's no mention of it on the dashboard page and it's not listed under installed packages in the package manager.
Its possible your not accessing the https port, or you have the 80 redirect disabled? My https is on 8443 as you can see.
I'm not even using https; haven't set it up yet.
Thanks for the help! -
@Jarhead said in Firewall rules for creating a Dedicated Management Interface?:
@ErniePantuso Rules are applied as the packets enter an interface from the directly connected network on that interface.
I understand that but thank you (<-- not sarcasm) for not assuming that!
So if you have an ANY/ANY rule on the LAN, a packet entering the LAN can go anywhere on the firewall.
I actually have the ANY/ANY rules for the LAN disabled - but that may only be part of the story since my configuration in general is super basic (mostly due to the fact that I'm learning as I go here).
Let me explain just a little... every device on the network is on one of 5 VLANs:
The only devices on LAN are management devices - my router, switch, a cloud controller, and 2 WAPs (and my laptop until I can get this dedicated management interface setup properly. Creating a management VLAN (as well as moving all the other VLANs to the trunk port) is on my list of things to do - as soon as I have a working dedicated management interface so that if I really bork things.......
So if you want to block traffic from the LAN to the MGMT, you need a rule on the LAN interface blocking that destination.
And, presumably, on each of the VLANs, right?
There is an invisible BLOCK ALL on every interface. So no rules at all means everything is blocked. Rules are applied in order, top down, first rule that's triggered for a packet is the last rule that packet will see. So order matters and you wouldn't need those block rules unless you set them to be logged.
Really good to know! I tested that by giving my laptop an IP of 10.1.2.22 then trying to access the web gui on 10.1.2.1. No access, so great. No access to anything else, either, but the only rules I have setup for any of the VLANs are the two Reserved Networks rules (Block private networks and loopback addresses and Block bogon networks) which I've done across the board.
Look into Auto Config Backup. Disabled by default, since you need to give it a password, but once used you can always go back to any config change you made. Might be a limit of 50 changes, can't remember.
Yeah, I've already hosed everything twice. The first time I just started over. And I enabled Auto Config Backup. The second time, I brought in a monitor and USB keyboard to access everything locally and restored from a backup. I'd really rather just jack into a dedicated mgmt interface, though, and be able to access the web gui. Restoring backups is more difficult from the console since you can't see the full name/details of each. (And I like to actually take and properly name a backup once I clear a milestone - which is precisely what I'll do once I get a dedicated mgmt interface working!)
-
@ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:
static IPv4 address of 10.10.10.10/32
Just noticed this /32 is never going to work... You prob want /24, /32 is just that address.. So no setting 10.10.10.11 wouldn't work because there is no actual network.. change that to /24
-
@ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:
And, presumably, on each of the VLANs, right?
That's correct. Take advantage of the built in aliases like "This firewall" for instance. You can set the management port of pfSense to any port other than 80 and 443 (let's say 445), then block all vlans access to 'This Firewall' port 445 as an example
-
@johnpoz That was a typo. Meant to type /31.
-
@Jarhead said in Firewall rules for creating a Dedicated Management Interface?:
@ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:
And, presumably, on each of the VLANs, right?
That's correct. Take advantage of the built in aliases like "This firewall" for instance. You can set the management port of pfSense to any port other than 80 and 443 (let's say 445), then block all vlans access to 'This Firewall' port 445 as an example
Do I need to change the port? Seems like 'This Firewall' (thanks for that!) would get the job done.
Are there other ports that maybe shouldn't be blocked? And along those lines, If I'm using DNS Resolver, don't all the nodes need some sort of access to "This Firewall" in order for DNS to work?With your help, my improved understanding of how rules are processed has allowed me to get my dedicated management interface working! I even managed to create a rule that allows my laptop access to WAN addresses so I can search for answers and create/reply to forum posts!
-
@ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:
Meant to type /31.
That isn't much better.. You should set atleast a /30.. If you want 2 IPs, you would have .0 the wire .1 and .2 and then .3 would be broadcast..
-
@ErniePantuso There's multiple ways to do what you want.
Changing the management port and blocking it will be easier than others.
For instance, a lot of people have "guest wifi" networks where they block entire access to pfSense itself, while first allowing specific ports (ie 80, 443, 53) so that subnet can still access the internet, this would also require blocking rfc1918 since your pfSense interface would be a private address. Seeing as most webpages will use 443. But that brings other problems when a site might need a different port. I remember someone saying speedtest wouldn't work with just 443 allowed as an example.
But it sounds like you just want to block access to pfSense's managment so the "This Firewall" would be the way to go, it would also block access on the WAN interface. Changing the management port, probably not needed but can't hurt.
Don't forget to block ssh on those vlans also. If you have it enabled especially. -
@johnpoz but... it works. ? Please explain why I should change it (so I can learn).
-
@ErniePantuso /31 is a special mask, normally used in routers.. for a transit network, ie a point to point. I would not recommend it for a normal network.. Because there is no typical wire address and broadcast address, etc.
in a normal network say /30 and /29, etc.. there is the wire address, ie the network in a /24 this would be the .0, ie 192.168.1.0 would be the wire.. .1 would be the first host, .254 would be the last host and .255 would be the broadcast.
With a /31 which is really only meant for special point to point connections you do not have those.
-
@johnpoz Thanks for the explanation. My knowledge of networking is very limited. I don't really understand "the wire" or "the broadcast". Where I'm coming from is - /31 works - and there are only 2 IP addresses - the router and my laptop. There's no way for any other IP address to be used to exploit anything or cause trouble. If I use /30, there are 2 more IP addresses; couldn't one or both of them theoretically be compromised/exploited? Sorry if this seems like the dumbest question anyone has ever asked.
-
@ErniePantuso its not dumb.. But if you have a wire between your router and your pc - how would any other devices even connect and use an IP?
If it works - sure go for it.. Just not a normal setup is all.. But yeah it can work.
