Multi-LAN firewall rules
-
Greetings from a new pfSense user!
I have a question about firewall rules for a multi-lan configuration.
Here is my layout:
| WAN (wan) | em4 |
| LAN0 (lan) | em0 |
| LAN1 (opt1) | em1 |
| LAN2 (opt2) | em2 |
| LAN3 (opt3) | em3 |I am trying to configure firewall rules to do the following:
All traffic from WAN should be blocked.
All traffic within LAN0 should be allowed.
All traffic from LAN0 to WAN should be allowed.
All traffic within LAN1 should be allowed.
All traffic from LAN1 to WAN should be allowed.
All traffic within LAN2 should be allowed.
All traffic from LAN2 to WAN should be allowed.
All traffic from LAN3 to WAN should be allowed.I'm using the following firewall rules to achieve this (using LAN1 as an example):
LAN1:
| Action | Proto | Source | Port | Destination | Port | Gateway |
| Deny | * | * | * | LAN0 net | * | * |
| Deny | * | * | * | LAN2 net | * | * |
| Deny | * | * | * | LAN3 net | * | * |
| Deny | TCP/UDP | * | * | LAN1 address | 80 (HTTP) | * |
| Deny | TCP/UDP | * | * | LAN1 address | 443 (HTTPS) | * |
| Allow | * | LAN1 net | * | * | * | * |I'm coming at this from a "everything should be blocked, unless specifically allowed" methodology.
I had first tried to configure using "Allow LAN1 net to LAN1 net" and "Allow LAN1 to WAN" rules, but Internet access (through the WAN) did not work. Perhaps this was a false presumption. I've read of people using "Deny from !MyLAN" and "Allow MyLAN to *" style rules, so that's what I've essentially done here. It seems that to allow Internet Access, you need to allow a * destination. This seems to go against my methodology; since I then need to explicitly deny traffic from the other networks.
Admittedly, I am not an expert when it comes to firewall rules.
Is there a better way? Am I missing something?
Thanks for your consideration.
EDIT: apparently tables produce white text. added black tags
-
Did you try with just the default settings first?
-
Did you try with just the default settings first?
The default settings I am familiar with block all traffic. At least, that's what was default when I first visited the firewall configuration for LAN1.
-
The last rule in your list looks like a default rule to me.
There should be a similar rule for each LAN interface. Those should allow all LAN traffic to go out the WAN interface. Everything else is blocked by default.
All traffic within a LAN is not seen by pfsense so there are no rules that can influence it.
-
The last rule in your list looks like a default rule to me.
There should be a similar rule for each LAN interface. Those should allow all LAN traffic to go out the WAN interface. Everything else is blocked by default.
All traffic within a LAN is not seen by pfsense so there are no rules that can influence it.
Yes, the last rule is configured exactly like LAN0 had it. It seems the LAN interface (LAN0 for this example) has the anti-lockout rule and this one by default. However, OPT interfaces (LAN1,2,3 for this example) do not. It by default blocks all traffic.
This does work for getting Internet access; however it does not restrict access to all other local networks. This is the major consideration I have.
I was hoping there was a way to allow traffic through the WAN as a specific rule that does not also allow traffic to all networks. Is this possible?
-
Are you sure you are starting out with the default rule set and only adding allow rules for each LAN similar to the default rule for first LAN?
Traffic between LANs (OPTs) should be blocked by default.
-
Yes. I just tried this exact configuration:
| Action | Proto | Source | Port | Destination | Port | Gateway |
| Allow | * | LAN1 net | * | * | * | * |The result was:
I had access to the Internet (through WAN).
I had access to all other local networks, served by the LAN0,2,3 interface configurations.The only caveat I can think of is that the interfaces are vnics, each tied to a seperate VLAN. Perhaps having them all on a single physical interface is making a difference? I suspect so if the natural behaviour would be to block traffic between interfaces unless specifically allowed somewhere. Still, if pfSense can block traffic from one vnic/vlan interface to another at all, wouldn't it be the one to decide if the traffic is allowed in this instance as well?
-
I'm doing the rules like following:
I'm going to describe it to youOn interface WAN just set a rule with source WAN net and destination Any to deny.
iface WAN - WAN net -> Any - Deny
to allow LAN0 to get to WAN try following (and for LAN1, 2 and 3)
Iface LAN0 - LAN0 net -> WAN - Allow
If you want to communicate with each other you should set a rule too!
The rules on top are taking over (if you set first allow all to all - on the bottom - and then deny all to all on top, the highest rule would take control - you get all data denied)
I hope it helps ;)
EDIT: Don't forget to put the first rule on each Interface - Any -> Any - Deny!