Multiple LANs to WAN on a local subnet - firewall rules

Nokxan

Hello,

I've got a question about how to organize my firewall rules for multiple LANs/Vlans on a 8 ethernet ports appliance with pfsense 2.0.1.

My configuration simplified is (actually, i've got 8 LANs and VLANs):

LAN1–---|-|
LAN2-----| |---  WAN  ---  ISP ROUTER  ---  INTERNET

For exemple :
LAN1 = 192.168.0.0/24
LAN2 = 192.168.1.0/24
WAN = 90.1.1.130/30
ISP router= 90.1.1.129/30

My public address is 90.1.1.130 (the one i reach from outside)

In "System / Routing / Gateway", i've added the following default gateway :
name : WANGW (default)     
interface : WAN
Gateway IP : 90.1.1.129

Wan interface is set as follow : Static ... IP address = 90.1.1.253/30      Gateway = WANGW

so the question is :

On LAN interface, if i add the following rule :
Proto        Source              Port        Destination        Port          Gateway
TCP         LAN subnet     *         WAN Subnet        80              *

HTTP still keep blocked, and i think because the firewall plays "Wan Subnet as only corresponding to the subnet 90.1.1.253/30

So if i want it to work, i need to use :
Proto        Source              Port        Destination        Port          Gateway
TCP       LAN subnet     *             *                  80              *

OK, but my problem is that with multi LANs, i need to add several rules to stop the trafic from LAN to other LANs.

Can i simplify this ? How to tell pfsense that the WAN subnet is corresponding to all subnets that are not on a LAN or VLAN interface and then beeing able to use the "WAN subnet" identification for my rules.
Or maybe i'm all wrong since the beginning, then tell me please, coz i've missed something…

Many thanks in advance,

Regards,
Guillaume

marcelloc

Create an alias with all your networks and then change dest ***** to dest not local network alias

Proto        Source              Port        Destination        Port          Gateway
TCP          LAN subnet        *              !my_nets          80              *

or a rule before http rule

action Proto        Source              Port        Destination        Port          Gateway
deny any          LAN subnet        *              !my_nets          *              * 
allow TCP          LAN subnet        *              !my_nets          80              *

Nokxan

That's what i was going to do, but i prefered ask before, then no other way…

Don't we need to place the allow TCP:80 rule before ? In your case, pfsense find the deny first, then it blocks...

action Proto        Source              Port        Destination        Port          Gateway
deny any          LAN subnet        *              !my_nets          *              *
allow TCP          LAN subnet        *              !my_nets          80              *

Thank you

marcelloc

my mistake,
the deny rule does not has the not in dst

action Proto        Source              Port        Destination        Port          Gateway
deny any          LAN subnet        *              my_nets          *              *
allow TCP          LAN subnet        *              !my_nets          80              *