Problem with fw rules

kentbjoh

Hi,

I have the following VLANs setup on my pfsense box running v2;

VLAN10 - 172.16.10.0/24 - Wired connection (with internet access)
VLAN20 - 172.16.20.0/24 - Wireless connection (with internet access)
VLAN254 - 172.16.254.0/24 - Protected Servers (no internet access)
VLAN400 - 172.16.1.0/24 - Management; fw, switches and aps are on this vlan  (no internet access)
See attachment for the rules of each vlan.

The problem I am having is that VLAN254 speaks with ALL vlans, when I only want it to speak with VLAN10. As far as I can see I have all the rules correct.
I even tried deleting the V254 interface and vlan and recreated it with no fw rules (no rules should by default mean DENY All ,right?). Still able to reach it from all other vlans.
There is no trouble with the other vlans, as I can disable rule for allowing v10 to speak to v20 and that will work after a few seconds!

Is there something VERY obvious that I am missing, or could it be a bug in pfsense or the switch?

Hoping for some quick replies :)

Brgds,

kpa

The first rules in your rules for each VLAN are unnecessary, traffic that goes from a host to another host on the same subnet never reaches the firewall. Turn on logging for all of your rules and see what rules are actually matched. Remember to reset states (dignostics->states) everytime you change the rules.

kentbjoh

I know the first rule is unnecessary, but if its not there I cannot ping the default gw.

I also found the rule that allowed access to VLAN254. It was the rule that provided vlan10 & 20 with internet (see attachment). vlan_internet is alias for the 10/24 and 20/24 subnets
Can I create the rule another way so it doesnt provide access to the other subnets?

kpa

Make a networks(s) alias that has all the networks that you want to deny access to and use that alias in the rule in place of the interface group you now have there.

Clouseau

@kentbjoh:

Hi,

I have the following VLANs setup on my pfsense box running v2;

VLAN10 - 172.16.10.0/24 - Wired connection (with internet access)
VLAN20 - 172.16.20.0/24 - Wireless connection (with internet access)
VLAN254 - 172.16.254.0/24 - Protected Servers (no internet access)
VLAN400 - 172.16.1.0/24 - Management; fw, switches and aps are on this vlan  (no internet access)
See attachment for the rules of each vlan.

The problem I am having is that VLAN254 speaks with ALL vlans, when I only want it to speak with VLAN10. As far as I can see I have all the rules correct.
I even tried deleting the V254 interface and vlan and recreated it with no fw rules (no rules should by default mean DENY All ,right?). Still able to reach it from all other vlans.
There is no trouble with the other vlans, as I can disable rule for allowing v10 to speak to v20 and that will work after a few seconds!

Is there something VERY obvious that I am missing, or could it be a bug in pfsense or the switch?

Hoping for some quick replies :)

Brgds,

You are allowing Vlan10 access your vlan254 from any gateway and this might be route from other vlans to access your vlan254 via vlan10? Just an bad guess… Try to to limit vlan10 access to your vlan254 only from gateway 172.16.10.1 . It's hard to guess whats really happening with out any logs, but trace route should tell a lot... Other vice you must deny access to vlan254 from vlan 20 and 400.

kpa

His problem is most likely the interface group, afaik it's not intended to be used that way. A networks(s) alias should make his setup work.

cmb

Post the contents of rules.debug from status.php while that interface group is in place.

kentbjoh

Here it is;
Public IPs consored with 127.0.0.1

#System aliases

loopback = "{ lo0 }"
WAN = "{ pppoe1 }"
VLAN400 = "{ re0_vlan400 }"
VLAN10 = "{ re0_vlan10 }"
VLAN20 = "{ re0_vlan20 }"
VLAN254 = "{ re0_vlan254 }"
OpenVPN = "{ openvpn }"
vlanInternet = "{ vlanInternet }"

#SSH Lockout Table
table <sshlockout>persist
#Snort2C table
table <snort2c>table <virusprot># User Aliases
table <vlan_internet>{   172.16.10.0/24  172.16.20.0/24 }
vlan_internet = "<vlan_internet>"

# Gateways
GWwan = " route-to ( pppoe1 127.0.0.1 ) "

set loginterface pppoe1
set loginterface re0_vlan400
set loginterface re0_vlan10
set loginterface re0_vlan20
set loginterface re0_vlan254
set optimization normal
set limit states 298000

set skip on pfsync0

scrub in on $WAN all   max-mss 1460 fragment reassemble
scrub in on $VLAN400 all   max-mss 1460 fragment reassemble
scrub in on $VLAN10 all   max-mss 1460 fragment reassemble
scrub in on $VLAN20 all   max-mss 1460 fragment reassemble
scrub in on $VLAN254 all   max-mss 1460 fragment reassemble

nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT
table <tonatsubnets>{ 172.16.1.0/24 172.16.10.0/24 172.16.20.0/24 172.16.254.0/24 172.1.1.0/27  }
nat on $WAN  from <tonatsubnets>port 500 to any port 500 -> 127.0.0.1/32 port 500
nat on $WAN  from <tonatsubnets>port 5060 to any port 5060 -> 127.0.0.1/32 port 5060
nat on $WAN  from <tonatsubnets>to any -> 127.0.0.1/32 port 1024:65535

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <direct_networks>{ 127.0.0.1/32 172.16.1.0/24 172.16.10.0/24 172.16.20.0/24 172.16.254.0/24 }
# NAT Inbound Redirects
rdr on pppoe1 proto { tcp udp } from any to 127.0.0.1 port 80 -> 172.16.10.20
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "firewallrules"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# snort2c
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

# package manager early specific hook
anchor "packageearly"

# carp
anchor "carp"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for pppoe1
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for re0_vlan400
antispoof for re0_vlan10
antispoof for re0_vlan20
antispoof for re0_vlan254
anchor "spoofing"

# loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( pppoe1 127.0.0.1 ) from 127.0.0.1 to !127.0.0.1/32 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on re0_vlan400 from any to (re0_vlan400) keep state label "anti-lockout rule"
# NAT Reflection rules

# User-defined rules follow
pass  in  quick  on $WAN reply-to ( pppoe1 127.0.0.1 )  proto tcp  from   127.0.0.1 to 127.0.0.1 port 443  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( pppoe1 127.0.0.1 )  proto tcp  from   127.0.0.1 to 127.0.0.1 port 443  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( pppoe1 127.0.0.1 )  proto tcp  from   127.0.0.1 to 127.0.0.1 port 443  flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( pppoe1 127.0.0.1 )  proto { tcp udp }  from any to any port 1194  keep state  label "USER_RULE"
pass   in  quick  on $WAN reply-to ( pppoe1 127.0.0.1 )  proto { tcp udp }  from any to   172.16.10.20  label "USER_RULE: NAT "
pass  in  quick  on $vlanInternet  from any to  ! $vlan_internet keep state  label "USER_RULE"
pass  in  quick  on $VLAN254  from 172.16.254.1/24 to 172.16.10.1/24 keep state  label "USER_RULE"
block  in log  quick  on $VLAN254  from any to any  label "USER_RULE"
pass  in  quick  on $VLAN20  from 172.16.20.1/24 to 172.16.10.1/24 keep state  label "USER_RULE"
block  in log  quick  on $VLAN20  from any to any  label "USER_RULE"
pass  in  quick  on $VLAN10  from 172.16.10.1/24 to 172.16.1.0/24 keep state  label "USER_RULE"
pass  in  quick  on $VLAN10  from 172.16.10.1/24 to 172.16.20.1/24 keep state  label "USER_RULE"
block  in log  quick  on $VLAN10  from any to any  label "USER_RULE"
pass  in log  quick  on $OpenVPN  from any to any keep state  label "USER_RULE"
pass  in  quick  on $VLAN400  from 172.16.1.0/24 to 172.16.1.0/24 keep state  label "USER_RULE"
pass  in  quick  on $VLAN400  from 172.16.1.0/24 to 172.16.10.1/24 keep state  label "USER_RULE"
pass  in  quick  on $VLAN400  from 172.16.1.0/24 to 172.16.20.1/24 keep state  label "USER_RULE"
block  in log  quick  on $VLAN400  from any to any  label "USER_RULE"

# VPN Rules
# package manager late specific hook
anchor "packagelate"

anchor "tftp-proxy/*"

anchor "limitingesr"

# uPnPd
anchor "miniupnpd"</bogons></bogons></virusprot></sshlockout></snort2c></snort2c></direct_networks></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></vlan_internet></vlan_internet></virusprot></snort2c></sshlockout> 

cmb

Ruleset is fine. what output does:

ifconfig -g vlanInternet

give you?

kentbjoh

This:

$ ifconfig -g vlanInternet
re0_vlan10
re0_vlan20

cmb

The config is fine then. Reading your first post again, maybe you're misunderstanding how things work. If there are no rules on VLAN250, then VLAN250 can't talk out to anything. But if other interfaces have rules allowing them to talk to VLAN250, that will work. Traffic is filtered on the interface (or interface group) where it's initiated.

kentbjoh

Hello again,

I don't think I am misunderstanding. Right now I have no rules on V254, but all traffic except WAN is getting through to that VLAN. If I disable the rule in vlanInternet however no traffic is passed to V254

cmb

@kentbjoh:

Right now I have no rules on V254, but all traffic except WAN is getting through to that VLAN. If I disable the rule in vlanInternet however no traffic is passed to V254

Exactly my point - that traffic isn't initiated on VLAN254. Traffic is only filtered on the interface where it's initiated. Everything is functioning as it should be from that description. If you don't want the other interfaces to talk to VLAN254, block them on their interface, the source interface of the traffic, not the destination one.