Guest Network

Mysteerie

Setup I plan on building:

Modem –> pfSense box with 3 ethernet ports (port 1 is used by the modem).
pfSense PORT 2 --> unmanaged switch --> home devices
pfSense PORT 3 --> wireless router --> guest devices

My question; what is the best to protect my home network from my guest devices?

I don't want my guest to be able access anything on my home network OR even have their devices see my home devices.

wallabybob

@Mysteerie:

My question; what is the best to protect my home network from my guest devices?

I don't want my guest to be able access anything on my home network OR even have their devices see my home devices.

pfSense port 2: pfSense LAN interface
pfSense port 3: pfSense OPT1 interface

Default firewall rules will allow systems on LAN interface to access anything and will block systems on OPT1 from any access so add a firewall rule to OPT1 to pass access to anything EXCEPT LAN subnet then reset states (see Diagnostics -> States, click on Reset States tab read then click the Reset button).

You should enable DHCP server on OPT1 and the OPT1 subnet needs to be distinct from the LAN subnet and both need to be distinct from the WAN subnet.

kejianshi

Beyond setting the two ports to different subnets, I would also add a rule to the TOP of the firewall rules for EACH LAN and OPT1:

OPT 1 interface

BLOCK any with destination LAN subnet

LAN interface

BLOCK any with destination OPT1 subnet

Thats it.  The two ports wil have access to the world but not each other.

eddie4

@kejianshi:

LAN interface
BLOCK any with destintion OPT1 subnet

I wouldn't it's handy you can connect to guests from your pc he just wants to protect his own pc's from guests not guests from him self.

kejianshi

In my case, I do protect my guests subnet from mine as well as I protect mine from theirs.
I can't imagine a scenario where I would need or want to invade their privacy.

Now, if its a business, I can agree but even then, I still think its more secure for YOU if your subnet can't see theirs.

Mysteerie

Should block rules should come before allow rules?

Also, here is how I have my firewall rules at the moment, is this correct?

LAN INTERFACE
                Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * OPT1 net * LAN net * *         none    
(BLOCK) IPv4 * LAN net * OPT1 net * *         none

OPT1 INTERFACE
                Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * LAN net * OPT1 net * *         none    
(BLOCK) IPv4 * OPT1 net * LAN net * *         none    
(PASS) IPv4 * OPT1 net * *         * *         none

kejianshi

Yep.  The firewall acts on the first match in the list, so you have to be sure that the "blocks" are above the "passes".

Or so I've heard.  I'm a newbie (-:

cmb

@Mysteerie:

Should block rules should come before allow rules?

First match wins.

@Mysteerie:

Also, here is how I have my firewall rules at the moment, is this correct?

LAN INTERFACE
                 Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * OPT1 net * LAN net * *         none    
(BLOCK) IPv4 * LAN net * OPT1 net * *         none

OPT1 INTERFACE
                 Proto Source Port Destination Port Gateway Queue Schedule Description
(BLOCK) IPv4 * LAN net * OPT1 net * *         none    
(BLOCK) IPv4 * OPT1 net * LAN net * *         none    
(PASS) IPv4 * OPT1 net * *          * *         none

The end result is as you want it, but the first rule on LAN and the first rule on OPT1 will never match. All traffic sourced from OPT1 will hit only OPT1 rules, all traffic sourced from LAN will hit only LAN rules.

Mysteerie

I removed the first two rules.

Though I did have a couple more questions:

My pass rules on OPT1 works with the following setting:
(PASS)    IPv4 *    OPT1 net    *    *            *    *           none

Though, when I change it following, it will no longer work:
(PASS)    IPv4 TCP    OPT1 net    *    *            80 (HTTP)   *           none    
OR
(PASS)    IPv4 TCP    OPT1 net    *    *            *    *           none

My visitors only need access to websites. Which is why I am trying to restrict to port 80. I also reset states after modifying the rules.

2. Would a vlan bring any extra security in my setup?

kejianshi

You guests don't plan to do any banking, chatting, emailing etc?  No HTTPS sites?

Are they in need of media?  No hulu?  No youtube?  No online music?

Mysteerie

They will need that stuff and I will open those ports.

I am just doing port 80 first as a test.

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

kejianshi

Try this.

Put your pass all rule back in to the firewall rules for opt1.  The rule that works.

Then create a new rule and put it before the pass all rule.

Make that new rule to block all that is not HTTP (port 80).

Basically you will be creating the same rule you have that isn't working, making it come right before your pass all rule only make it block instead of pass and click the "invert sense" button" in that destination and make sure its HTTP.

Understand?

wallabybob

@Mysteerie:

But yea, the rule doesn't work if I specify a Protocol (e.g. TCP). Am I missing something?

Did you reset states after adding the rule? See Diagnostics -> States, click on Reset States tab, read and then click on the Reset button.

Forgetting to do this has tripped me up a number of times.

cmb

Only allowing TCP won't allow DNS. You'll be able to browse to HTTP by IP only with the above TCP-only rules.

kejianshi

So, he would at minimum have to allow port 53, allow ports 80 and 443 and allow all the ports above the service ports 1024-65535 and block specific ports associated with specific protocols he didn't want then?  Like P2P or whatever?
Any more service ports that should be allowed?

kejianshi

So, based on the reply that you are blocking DNS, I got to looking at ports in common usage that are somewhat required.  There are so many in the service port range and so many for sure above 1024 that it seems like a draconian set of firewall rules won't work for you unless you do a lot off firewall rule typing.

CMB was probably too busy laughing at my previous suggestion to point that out, but I think if you try to lock down your visitor subnet from your LAN, thats easy.  If you plan to lock them down somewhat from the internet while still leaving a functioning internet, thats going to be hard with a lot of firewall rules.  Perhaps you should leave their internet open to the web and install a content filter instead, assuming its content you are interested in blocking.  Or set up a traffic shaping rule if its bandwidth you are interested in preserving?

Mysteerie

Can't believe I forgot about DNS port (53), lol. I opened that up and it worked as I wanted.

Though, yea, I will most likely won't restrict it like above; I just wanted to see if it was possible.

Going from a home router to pfsense is a world of difference; so thank you guys for answering all my questions, I am just learning still.

Last question for this thread:

Would vlan bring anything extra to my setup? (I am guessing no and it's only needed if it I wanted to split a physical managed switch).

kejianshi

Yep - I learned something also.