Is there a way to visualize my network in pfSense and see who can talk to whom?
-
Really it needs both because a host on any particular subnet may or may not have an available route or might block traffic from some other subnet.
-
@CharlesT not sure why you need a picture here... Out of the box pfsense allows any any the default rule on lan.. So it can talk to anything..
If you limited these rules to only allow specific traffic - you are the one that created the rules, why would you need a picture to know what you allowed or blocked?
How would this picture be any more helpful than the easy to read list of rules that are evaluated in order top down?
-
@johnpoz
1 pic == 1k words
-
@johnpoz For a networking specialist perhaps, but I'm a very visual person and it would help me a lot to immediately see on a network map the effect of the changes I make into pfSense, without having to constantly go from one device to the other and run ping tests or try to load content.
Great for learning too. -
@terryzb I agree for sure, sometimes 10k words.. And like to see a picture of the rules on the interface.
But I just don't get how you would graphically show what is allowed or not allowed.. What ports going to be different colors?
Love to see an example of what is sort of thing they want to see... To me this is a picture of the rules.
-
@CharlesT can you sketch up an example of what you want to see in the rules - because I am at a loss of how to graphically show say the above example of a rule set.
The green check mark shows that its an allow, the hand is a reject, a block is a red X.. how do you graphically show what amounts to a number a network is going to have to be shown as a number, a port is a number..
What sort of graphic would make that above example rule set easier for you to understand?
-
@CharlesT The concept is simple, the implementation for you is the hard, for Netgate very hard due to the varied equipment.
Query pfSense:
- rule set
- subnet ranges
- VLAN information
Query the switches:
- MAC addresses
- IP Addresses
- VLAN information
- Ports for the above
Query DNS:
- Host name for all IPs found
The easy part is to take this information and mine it to build the picture.
It is likely there is software that does this, but I doubt it is free.
-
@johnpoz done quickly but something like this perhaps. This is the most bare-bone version I can think of.
In the first image the iPad is selected (green) so all the devices it can talk to are highlighted in blue and an information window pops-up that lists the rules the device is subjected to. It can talk to the IOT device on the right but this device is on a different subnet marked purple, while the other devices on the same subnet have a light blue wifi connection to the access point.
In the second image, the IOT device (on the IOT VLAN wifi) is selected (green), but it doesn't have permission to ping anyone else so nothing lights up in blue.
-
@CharlesT while that is a pretty picture and all.. How would that be drawn without a destination?
For starters in your typical home network, all of those would be able to talk to each other because they are most likely on the same network and pfsense has zero to do with any conversations they would have to each other.
And your listing out the IP address, the interface and which rules - rules that do what allow or block your destination - which would have to be selected for the picture to even be able to be drawn.. So the picture brings nothing to the table IMHO..
edit:
So you want a picture that shows every device on your network, and if you highlight it - it lights up which device it can talk too? What ports? How does pfsense know even if you allow say port 80, that the device firewall allows 80, or that service is even running on 80.. -
@johnpoz Well in this setup pfsense is used to segment the network into 3 subnets, each with its own firewall rules. But yeah, I guess pfSense would not know if the AP had device isolation...
I don't know. I'm just a newbie to networking trying to set up his home network lol. But a tool like this would help me. I understand it's not a priority for anyone at Netgate.
-
Something visual like that would be nice to have but somewhere between tricky and very difficult to pull off usefully.
Something something AI.
Maybe -
If you had something creating a picture with all your devices.. Say something like this..
And then you had some way to input some parameters like port.. It could show you which other devices the firewall rules allow for..
But even viewing it gets tricky when you have lots of devices.. This is only showing my wireless devices, and you have to really zoom in to see anything.
And while pfsense can say hey there is a rule that allows that to these other devices in other networks.. Still doesn't know if that device even listens on that port, or that its own possible firewall allows it. And as you mention how would it know if something like private vlans or AP isolation is deployed?
Is this AI going to validate every connection is actually possible from the devices IP address you selected as your source? And for stuff on the same network as your client, pfsense isn't involved anyway..
I have worked on many a different firewalls, Palo's, ASAs, Juniper, checkpoints way back in the day.. The only thing I have seen that would come close to what your asking that isn't graphical is where you can put in some parameter(s) and it will list the rules that mention those parameters, you can do with panorama for the palos.. But not freaking cheap! ;)
But I do not see how this helps you learn to be honest.. If you want to learn.. Learn how to create the rules you want to allow or block and how to create those.. I mean how many rules could you possible have? Its not like enterprise, previous gig we had over 50 different Palo firewalls in the org, and searching for what rules might allow or block specific traffic was really a requirement.. There were 1000's and 1000's of rules across the org.. Finding out if some specific traffic was allowed or not would of been painful if there wasn't a way to easy search through them..
Biggest save in search in rules was when someone requested something to talk to something else on port X.. Was to search for if those devices are already allowed to talk to each other one some ports so you could just add the port to an existing rule, etc.
