Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for creating a Dedicated Management Interface?

    Scheduled Pinned Locked Moved Firewalling
    17 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @ErniePantuso
      last edited by

      @ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:

      static IPv4 address of 10.10.10.10/32

      Just noticed this /32 is never going to work... You prob want /24, /32 is just that address.. So no setting 10.10.10.11 wouldn't work because there is no actual network.. change that to /24

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      E 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @ErniePantuso
        last edited by

        @ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:

        And, presumably, on each of the VLANs, right?

        That's correct. Take advantage of the built in aliases like "This firewall" for instance. You can set the management port of pfSense to any port other than 80 and 443 (let's say 445), then block all vlans access to 'This Firewall' port 445 as an example

        E 1 Reply Last reply Reply Quote 1
        • E
          ErniePantuso @johnpoz
          last edited by

          @johnpoz That was a typo. Meant to type /31.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • E
            ErniePantuso @Jarhead
            last edited by

            @Jarhead said in Firewall rules for creating a Dedicated Management Interface?:

            @ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:

            And, presumably, on each of the VLANs, right?

            That's correct. Take advantage of the built in aliases like "This firewall" for instance. You can set the management port of pfSense to any port other than 80 and 443 (let's say 445), then block all vlans access to 'This Firewall' port 445 as an example

            Do I need to change the port? Seems like 'This Firewall' (thanks for that!) would get the job done.
            Are there other ports that maybe shouldn't be blocked? And along those lines, If I'm using DNS Resolver, don't all the nodes need some sort of access to "This Firewall" in order for DNS to work?

            With your help, my improved understanding of how rules are processed has allowed me to get my dedicated management interface working! I even managed to create a rule that allows my laptop access to WAN addresses so I can search for answers and create/reply to forum posts!

            J 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @ErniePantuso
              last edited by

              @ErniePantuso said in Firewall rules for creating a Dedicated Management Interface?:

              Meant to type /31.

              That isn't much better.. You should set atleast a /30.. If you want 2 IPs, you would have .0 the wire .1 and .2 and then .3 would be broadcast..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              E 1 Reply Last reply Reply Quote 0
              • J
                Jarhead @ErniePantuso
                last edited by Jarhead

                @ErniePantuso There's multiple ways to do what you want.
                Changing the management port and blocking it will be easier than others.
                For instance, a lot of people have "guest wifi" networks where they block entire access to pfSense itself, while first allowing specific ports (ie 80, 443, 53) so that subnet can still access the internet, this would also require blocking rfc1918 since your pfSense interface would be a private address. Seeing as most webpages will use 443. But that brings other problems when a site might need a different port. I remember someone saying speedtest wouldn't work with just 443 allowed as an example.
                But it sounds like you just want to block access to pfSense's managment so the "This Firewall" would be the way to go, it would also block access on the WAN interface. Changing the management port, probably not needed but can't hurt.
                Don't forget to block ssh on those vlans also. If you have it enabled especially.

                1 Reply Last reply Reply Quote 0
                • E
                  ErniePantuso @johnpoz
                  last edited by

                  @johnpoz but... it works. ? Please explain why I should change it (so I can learn).

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @ErniePantuso
                    last edited by

                    @ErniePantuso /31 is a special mask, normally used in routers.. for a transit network, ie a point to point. I would not recommend it for a normal network.. Because there is no typical wire address and broadcast address, etc.

                    in a normal network say /30 and /29, etc.. there is the wire address, ie the network in a /24 this would be the .0, ie 192.168.1.0 would be the wire.. .1 would be the first host, .254 would be the last host and .255 would be the broadcast.

                    With a /31 which is really only meant for special point to point connections you do not have those.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    E 1 Reply Last reply Reply Quote 1
                    • E
                      ErniePantuso @johnpoz
                      last edited by

                      @johnpoz Thanks for the explanation. My knowledge of networking is very limited. I don't really understand "the wire" or "the broadcast". Where I'm coming from is - /31 works - and there are only 2 IP addresses - the router and my laptop. There's no way for any other IP address to be used to exploit anything or cause trouble. If I use /30, there are 2 more IP addresses; couldn't one or both of them theoretically be compromised/exploited? Sorry if this seems like the dumbest question anyone has ever asked.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @ErniePantuso
                        last edited by

                        @ErniePantuso its not dumb.. But if you have a wire between your router and your pc - how would any other devices even connect and use an IP?

                        If it works - sure go for it.. Just not a normal setup is all.. But yeah it can work.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.