PfSense clients access private network
-
Hi.
I have a private network (192.168.1.xxx) and pfSense network (10.10.10.xxx) connected to the same router/modem ADSL (192.168.1.1), and the clients from pfSense have access to my private network. Is it possible to block them from the pfSense firewall? But I still want to access pfSense network from my private.
Thank you :)
-
A diagram would help. It sounds like you've got:
ADSL –- 192.168.1.x --- pfSense --- 10.10.10.x
If that's the case, you could simply create a firewall rule to deny access from the 10.10.10.x network to the 192.168.1.x network, except for 192.168.1.1 (otherwise you'll never get to the Internet). Of course, if that's the case you've got your networks back to front - you should put the more protected network behind the pfSense box, not in front of it :)
-
Sorry, you're right, but the diagram is not like that, is more something like this
192.168.1.x
ADSL <
pfSense – 10.10.10.x -
Yes, but what you're saying is that the pfSense box has an interface on the 192.168.1.x network:
clients
ADSL |
192.168.1.1-|
|
|- pfSense - 10.10.10.xIs that correct?
-
Exactly
| Private network (192.168.1.x)
ADSL Router |
(192.168.1.1) | pfSense Box (192.168.1.15) (10.10.10.1)I think it's complete now :P
-
So, as I said in my first post - your basic problem is that you've got your design backwards. Your pfSense host is connected, via it's WAN interface, to the network you want to protect. That's just wrong.
You can "fix" this by putting in a deny rule on the LAN interface of the pfSense host, denying access to 192.168.1.0/24, except for 192.168.1.1. However, given what you've said so far, it would be far more sensible to switch the 2 networks around, putting the "Private" network behind the pfSense host's LAN interface and the 10.10.10.x network between the ADSL router and the pfSense host:
| 10.10.10.0/24
ADSL |
10.10.10.1-|
| 192.168.1.1
|–- pfSense ---- 192.168.1.0/24
10.10.10.2(Hint - firewalls are generally designed to protect the network on the LAN side from the network on the WAN side, not the other way around ;) )
-
Just tested this, but it's not working :(
Could you please check if the rulle is correct?
-
That rule says, block the LAN interface from accessing anything except the ADSL gateway.
First off, you'll need to create an alias, say PRIVATE, that contains the following networks:
192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/25(This is a list that effectively lists every host EXCEPT 192.168.1.1)
Now create a rule that blocks access from the LAN SUBNET to this alias.
-
Excelent :)
It worked
Thanks a lot!!
