Multi-LAN Default deny not working
-
I just spent hours trying to figure this out and its driving me insane. I am not new to PFSense, I have been using it for about 6 years now.
The situation is I just replaced an ASA with a Clustered PFS 2.0.1 setup.
Interfaces are as follows
wan 1.1.1.1/26
2 carps
LAN1 192.168.1.0/24
LAN2 192.168.2.0/24
LAN3 192.168.3.0/24
LAN4 10.255.254.0/24 (carp/pfsync)to simplify things the wan and lan addresses have been changed.
All my wan nat & firewall rules are working perfectly.
The only rules on the lan addresses are
Lan1
* LAN1Subnet * * * *
Lan2- LAN2Subnet * * * *
Lan3 - LAN3Subnet * * * *
CARP - CarpSubnet CarpSubnet * *
there are no rules existing that allow traffic from Lan1 to/from Lan2 or Lan3, nor are there rules allowing traffic from LAN2 to lan1 or lan3, nor are there rules allowing lan3 to lan1 or lan2.
Here is the crazy weird part, all traffic can pass to and from any LAN subnet. It is as if the default deny rule isnt working….. Any ideas?
- LAN2Subnet * * * *
-
there are no rules existing that allow traffic from Lan1 to/from Lan2 or Lan3, nor are there rules allowing traffic from LAN2 to lan1 or lan3, nor are there rules allowing lan3 to lan1 or lan2.
Not true. Your LAN1 rule allows LAN1 to every destination. Ditto for every other LAN.
http://doc.pfsense.org/index.php/Firewall_Rule_Basics -
Even based on the link you provided:
"The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed."So what I think you are saying the traffic is matching the Egress rule on LAN1 for example but there isnt a check for Ingress traffic on LAN2. Once the traffic leaves an interface via an approved rule it doesnt check the next interface rules when the traffic enters that network?
-
The interface rule tabs only check in the inbound direction.
You need a rule like this:
block from LAN1 to (all other LANs)
pass from LAN1 to anyyou could use a floating rule to block in the outbound direction, but it makes it a little harder to follow logically.
-
Even based on the link you provided:
"The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed."So what I think you are saying the traffic is matching the Egress rule on LAN1 for example but there isnt a check for Ingress traffic on LAN2. Once the traffic leaves an interface via an approved rule it doesnt check the next interface rules when the traffic enters that network?
That's how every stateful firewall works: "Once traffic is passed on the interface it enters, an entry in the state table is created, which allows through subsequent packets that are part of that connection."