PfSense as an internal firewall

wdennis

Hello all,

Quite new to pfSense (I've used IPCop for a few simple firewalls here and there) and although I'm certainly not a firewall guru, I have had some experience on a few commercial ones (Cisco PIX, Checkpoint FW-1 NGX, MSFT ISA 2004, SmoothWall.)

Anyways, I like what I see so far. pfSense seems pretty configurable, but here's what I'm trying to do, and I'm not sure if it can be done (easily anyways  :) )

We are looking at implementing some internal firewalls to cordon off project networks and only allow certain traffic into the core network, and/or out to the Internet. So the basic topology would be:

Internet –- Checkpoint FW --- Internal core networks (router) --- (LAN) pfSense FW (WAN) --- Project net(s)

The internal nets and the project nets are subnets of a single Class-B block.

Since the project nets would be leaf networks, the default routes on the pfSense boxen would be out the LAN int, not the WAN int. The rulesets on the WAN side would be default deny, unless explicitly allowed, but also allow any / any to the Internet (the Checkpoint will enforce any denys out to the Internet.) The ruleset on the LAN side would be default allow unless otherwise denied. No WAN outbound NAT-ing.

The only thing that I really have a question on is setting up the pfSense box to have its default route out the LAN side, as the untrusted project net isn't really a WAN link. Is this doable?

Thanks in advance for any help provided,
Will

morbus

PfSense is defiantly capable of doing what you want.

I would leave pfsense in the normal config

Internet –- Checkpoint FW --- Internal core networks (router) --- (WAN) pfSense FW (LAN) --- Project net(s)

and remove the default LAN to WAN allow rule. Once you remove that pf will block all on the LAN. There is no reason why it wouldn't work back to front it is just designed to work the other way.

You may want to disable the webgui anti lockout rules as this could let your project attack the webgui

I would also use a managed switch and put each project on a separate vlan

GruensFroeschli

@morbus: I think wdennis's Problem is that the project network and the corenetwork is on the same subnet.

But you can do it even then.
Connect the pfSense just as morbus showed you (with WAN to corenet).
Activate under advanced the "filtering bridge" option and then simply bridge your LAN with WAN.

The LAN-Interface wont have an IP but the WAN interface will have one.
now simply configure rules on the LAN interface on how traffic is allowed (or blocked).
As said: if you have no rules, per default everything is blocked.

wdennis

Actually, my nets are composed of a single Class B network subnetted into CIDR /24 networks. So, the "WAN" interface may be for instance 111.222.3.4, whereas the LAN interface may be 111.222.5.6, and all the rest of the 111.222.x.x/24 nets are on the LAN side (except the 111.222.3.0/24 network of course.)

What I did (and it seems to work) is when I defined the WAN int thru the WebGUI with a static IP, I set the default gateway field to the LAN network's router address. So, for instance, if we take the example above, the WAN IP = 111.222.3.4, and the WAN default GW = 111.222.5.254 (the router int addr for the 111.222.5.0/24 net.)

The resulting IPv4 routing table in FreeBSD looks like the following (edited for brevity):

Internet:
Destination          Gateway          Flags          …          Netif
default                111.222.5.254  UGS                        em0
127.0.0.1            127.0.0.1        UH                          lo0
111.222.5/24        link#1              UC                          em0
.
.
.
111.222.3/24        link#2              UC                          em1

Where em0 = LAN if and em1 = WAN if.

So far, it seems to work... I would like to keep the paradigm of WAN = project net, so if I can do it this way instead of reversing the setup (i.e. LAN = project net) that would be best, since the firewall seems to be designed to treat the LAN as trusted, and the WAN as untrusted.

Any further comments are most welcome (especially if someone sees that there a problem doing what I did  :P )

Thanks,
Will

GruensFroeschli

Well it looks good, and apparently works :)
But i disagree with thrusted = LAN and unthrusted = WAN.

I beliefe in this concept of a good firewall:
The admin defines what is thrusted or unthrusted and set's his rules after this.
Not the product defines how the admin has to use it. ;)

morbus

The only issue I can see is that pfsense is built to have the WAN as having fairly limited options so services like dhcp won't run on it via the WebGUI.

Remove the default allow and disable the anti lockout rules and both sides should be equal as far as trusted untrusted goes.

PfSense is totally configurable to do whatever you want. It just depends how much PHP you want to rewrite to get it to work differently to how it was built.

wdennis

@GruensFroeschli:

But i disagree with thrusted = LAN and unthrusted = WAN.

I beliefe in this concept of a good firewall:
The admin defines what is thrusted or unthrusted and set's his rules after this.
Not the product defines how the admin has to use it. ;)

I'm happy to hear that it's not "hard-wired" as far as the concept of "LAN = trusted" and "WAN = untrusted" goes
But it makes sense to me to work within the default params. I'm just glad I could get it to work the way I wanted so easily :)

Thanks all!  ;D