Guest Network

Mysteerie · Jul 3, 2013, 3:37 AM

Setup I plan on building:

Modem –> pfSense box with 3 ethernet ports (port 1 is used by the modem).
pfSense PORT 2 --> unmanaged switch --> home devices
pfSense PORT 3 --> wireless router --> guest devices

My question; what is the best to protect my home network from my guest devices?

I don't want my guest to be able access anything on my home network OR even have their devices see my home devices.

wallabybob · Jul 3, 2013, 11:10 PM

@Mysteerie:

My question; what is the best to protect my home network from my guest devices?

I don't want my guest to be able access anything on my home network OR even have their devices see my home devices.

pfSense port 2: pfSense LAN interface
pfSense port 3: pfSense OPT1 interface

Default firewall rules will allow systems on LAN interface to access anything and will block systems on OPT1 from any access so add a firewall rule to OPT1 to pass access to anything EXCEPT LAN subnet then reset states (see Diagnostics -> States, click on Reset States tab read then click the Reset button).

You should enable DHCP server on OPT1 and the OPT1 subnet needs to be distinct from the LAN subnet and both need to be distinct from the WAN subnet.

kejianshi · Jul 4, 2013, 2:41 AM

Beyond setting the two ports to different subnets, I would also add a rule to the TOP of the firewall rules for EACH LAN and OPT1:

OPT 1 interface

BLOCK any with destination LAN subnet

LAN interface

BLOCK any with destination OPT1 subnet

Thats it. The two ports wil have access to the world but not each other.

eddie4 · Jul 4, 2013, 7:06 PM

@kejianshi:

LAN interface
BLOCK any with destintion OPT1 subnet

I wouldn't it's handy you can connect to guests from your pc he just wants to protect his own pc's from guests not guests from him self.

kejianshi · Jul 4, 2013, 7:46 PM

In my case, I do protect my guests subnet from mine as well as I protect mine from theirs.
I can't imagine a scenario where I would need or want to invade their privacy.

Now, if its a business, I can agree but even then, I still think its more secure for YOU if your subnet can't see theirs.

Mysteerie · Jul 4, 2013, 11:52 PM

Should block rules should come before allow rules?

Also, here is how I have my firewall rules at the moment, is this correct?

LAN INTERFACE
Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * OPT1 net * LAN net * * none
(BLOCK) IPv4 * LAN net * OPT1 net * * none

OPT1 INTERFACE
Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * LAN net * OPT1 net * * none
(BLOCK) IPv4 * OPT1 net * LAN net * * none
(PASS) IPv4 * OPT1 net * * * * none

kejianshi · Jul 4, 2013, 11:58 PM

Yep. The firewall acts on the first match in the list, so you have to be sure that the "blocks" are above the "passes".

Or so I've heard. I'm a newbie (-:

cmb · Jul 5, 2013, 3:22 AM

@Mysteerie:

Should block rules should come before allow rules?

First match wins.

@Mysteerie:

Also, here is how I have my firewall rules at the moment, is this correct?

LAN INTERFACE
Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * OPT1 net * LAN net * * none
(BLOCK) IPv4 * LAN net * OPT1 net * * none

OPT1 INTERFACE
Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * LAN net * OPT1 net * * none
(BLOCK) IPv4 * OPT1 net * LAN net * * none
(PASS) IPv4 * OPT1 net * * * * none

The end result is as you want it, but the first rule on LAN and the first rule on OPT1 will never match. All traffic sourced from OPT1 will hit only OPT1 rules, all traffic sourced from LAN will hit only LAN rules.

Mysteerie · Jul 5, 2013, 4:49 AM

I removed the first two rules.

Though I did have a couple more questions:

My pass rules on OPT1 works with the following setting:
(PASS) IPv4 * OPT1 net * * * * none

Though, when I change it following, it will no longer work:
(PASS) IPv4 TCP OPT1 net * * 80 (HTTP) * none
OR
(PASS) IPv4 TCP OPT1 net * * * * none

My visitors only need access to websites. Which is why I am trying to restrict to port 80. I also reset states after modifying the rules.

2. Would a vlan bring any extra security in my setup?

kejianshi · Jul 5, 2013, 5:13 AM

You guests don't plan to do any banking, chatting, emailing etc? No HTTPS sites?

Are they in need of media? No hulu? No youtube? No online music?

Mysteerie · Jul 5, 2013, 6:34 AM

They will need that stuff and I will open those ports.

I am just doing port 80 first as a test.

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

kejianshi · Jul 5, 2013, 6:50 AM

Try this.

Put your pass all rule back in to the firewall rules for opt1. The rule that works.

Then create a new rule and put it before the pass all rule.

Make that new rule to block all that is not HTTP (port 80).

Basically you will be creating the same rule you have that isn't working, making it come right before your pass all rule only make it block instead of pass and click the "invert sense" button" in that destination and make sure its HTTP.

Understand?

wallabybob · Jul 5, 2013, 8:34 AM

@Mysteerie:

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

Did you reset states after adding the rule? See Diagnostics -> States, click on Reset States tab, read and then click on the Reset button.

Forgetting to do this has tripped me up a number of times.

cmb · Jul 5, 2013, 11:52 AM

Only allowing TCP won't allow DNS. You'll be able to browse to HTTP by IP only with the above TCP-only rules.

kejianshi · Jul 5, 2013, 5:56 PM

So, he would at minimum have to allow port 53, allow ports 80 and 443 and allow all the ports above the service ports 1024-65535 and block specific ports associated with specific protocols he didn't want then? Like P2P or whatever?
Any more service ports that should be allowed?

kejianshi · Jul 5, 2013, 6:18 PM

So, based on the reply that you are blocking DNS, I got to looking at ports in common usage that are somewhat required. There are so many in the service port range and so many for sure above 1024 that it seems like a draconian set of firewall rules won't work for you unless you do a lot off firewall rule typing.

CMB was probably too busy laughing at my previous suggestion to point that out, but I think if you try to lock down your visitor subnet from your LAN, thats easy. If you plan to lock them down somewhat from the internet while still leaving a functioning internet, thats going to be hard with a lot of firewall rules. Perhaps you should leave their internet open to the web and install a content filter instead, assuming its content you are interested in blocking. Or set up a traffic shaping rule if its bandwidth you are interested in preserving?

Mysteerie · Jul 6, 2013, 1:31 AM

Can't believe I forgot about DNS port (53), lol. I opened that up and it worked as I wanted.

Though, yea, I will most likely won't restrict it like above; I just wanted to see if it was possible.

Going from a home router to pfsense is a world of difference; so thank you guys for answering all my questions, I am just learning still.

Last question for this thread:

Would vlan bring anything extra to my setup? (I am guessing no and it's only needed if it I wanted to split a physical managed switch).

kejianshi · Jul 6, 2013, 1:38 AM

Yep - I learned something also.