I need help with the firewall and rules with multiple LAN's
-
The default configuration for the LAN is to allow anything out. I'd start your second LAN with a similar rule and lock down from there. Remember rules apply when traffic enters the interface and rules are processed top down. So, let's say I want to allow only RDP from LAN to LAN2 and block LAN2 from getting to LAN:
(Allowing both to get to the Internet)
Firewall, Rules, LAN
Allow TCP LAN net * LAN2 net 3389 *
Deny * LAN net * LAN2 net * *
Allow * LAN net * * * *Firewall, Rules, LAN2
Deny * LAN2 net * LAN net * *
Allow * LAN2 net * * * *Once you get the hang of it, you should be able to extrapolate into more complex rules.
-
Thank so much - I will give this a go tonight.
I do understand the top down concept and was aware of that with my rules (not experienced though)
If we take a step back
Allow rdp from LAN to LAN2 with the understanding that all is blocked by default (according to what I have read) I had under LAN rules
Allow TCP LAN net * LAN2 net 3389 *
with no rules under LAN2
and nothing would work.
If so then could I have a problem somewhere else (NAT?)
This is what is swimming around my head at the moment
This goes in the LAN rules because that is the subnet that the connection is being established and a similar rule is not required under the LAN2 rules.
but, you say that when traffic enters an interface the rules are tested, so if I try to establish a connection from my PC on LAN the LAN rules are evaluated and then the data is passed to the LAN2 rules before passing into the LAN2 subnet. Does that mean that there should be a similar rule under LAN2 (this means doubling of all rules which sounds counter productive and over complicated)
Allow TCP LAN net * LAN2 net 3389 *Don't get me wrong I am not trying to argue, just posing scenario's to try and learn and I appreciate the replies.
Thanks again
Mick
-
This goes in the LAN rules because that is the subnet that the connection is being established and a similar rule is not required under the LAN2 rules.
correct.
but, you say that when traffic enters an interface the rules are tested, so if I try to establish a connection from my PC on LAN the LAN rules are evaluated and then the data is passed to the LAN2 rules before passing into the LAN2 subnet.
incorrect.
Whatever gets 'inside' of pfSense (accordingn to rules) may exit anywhere it is routed to (no rules apply).
That is why pfSense itself (inside) can communicate with all attached subnets or the update server on the internet without rules.
Got the picture?What Dotdash showed is absolutely correct.
Just get familiar with the rule's order which is important in the example. Maybe read them out loud: "First, allow everything from LAN to …" [no pun intended, btw] -
I put these rules in and it did not work >:( (and yes I hit apply after making the changes)
Just to make sure here are the screen shots
One thing I did appear to have wrong was how the rules were processed. I did understand the top down concept, but I though that a lower rule would over-ride a previous rule
so in the rules given earlier, where an allow was given for port 3389 and then a subsequent rule blocked all ports, I assumed that the latter rule had precedence, and in fact it is the other way around, preceding rules have precedence.
Since this does not appear to be working for me, is there by any chance something else wrong elsewhere in the system?
The box (pfsense) can ping the PC on LAN2
Thanks and the help is appreciated
Mick
EDIT - I realised on the way to work this morning that the PC on the LAN was not using the pfsense box as the gateway, but rather the router as a gateway. The router has a static route to the pfsense box, so in theory it should work, but I will point the PC to the pfsense box and try again.
-
So it turns out is was the gateway but…
I removed the rule for port 3389 and now have two rules under LAN
Deny * LAN net * LAN2 net * *
Allow * LAN net * * * *and I can still get a RDP connection - why? All protocols and ports are blocked to LAN2
I can also do file sharing!!!
Why when the deny rule is first
-
Did you clear the states after deleting the allow rule?
You dont happen to have Advanced outbound NAT enabled, do you?
-
I assume by clearing the states you mean resetting states - no I did not know about that
Yes, Automatic (not Advanced) outbound NAT is enabled.
Should manual outbound NAT be enabled? What about the rules for NAT, where can I find more on that
-
If you are on automatic everything should be ok.
Some people have problems when they enable manual NAT and forget about it.If you're testing if a firewall rule is effective, you should always clear the state table first.
Otherwise it might well be that there is still an entry in the table and you use this entry which was created before the rule was in place. -
Excellent, I am starting to get somewhere now thanks to the good people here
Another questions on a rule
I have got the ports open to LAN2 that I want and it is working fine but I am trying to lock down the connection to the internet
My first attempt was this
Allow TCP LAN net * WAN address 80 (HTTP) *and it did not work.
Changed it to
Allow TCP LAN net * * 80 (HTTP) *and it worked.
Why would specifying the WAN port fail, yet work for any destination?
-
If you specify "WAN address" you allow only connections to the address of the WAN.
WAN address means exactly that.
It doesnt mean: "traffic going out the WAN". -
Thanks - I will think about this overnight
"If you specify "WAN address" you allow only connections to the address of the WAN."
I understand this statement, and I think then it should have worked. I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.
or
does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0
I think it may be the latter
-
Thanks - I will think about this overnight
"If you specify "WAN address" you allow only connections to the address of the WAN."
I understand this statement, and I think then it should have worked. I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.
or
does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0
I think it may be the latter
NOT through.
TOSo yes it means the latter.
-
Dang - I thought I had the hang of this
I have two rules only in both LAN1 and LAN2
LAN2 Rules
Allow TCP LAN2 net * LAN net 8080 *
Deny * LAN2 net * LAN net * *First to allow LAN2 to a web server on LAN on port 8080, the second to block all the rest and this works fine
LAN1 Rules
Allow TCP LAN1 net * LAN net 8080 *
Deny * LAN1 net * LAN net * *Same rules as LAN2, but for LAN1 and this does not work. LAN2 can see the web server on port 8080, LAN1 can not.
Whay is it so?