Creating rules for LAN Networks

robina80 · Nov 2, 2013, 6:28 PM

hi all,

on my computer i have installed pfsense on and have 4 NICS, "WAN" "DMZ" and the other 2 LANS one labelled "public" and the other "server"

basically i want to create rules so the "server" network can talk to the others but def NOT the other way round

many thanks for your help in advance

rob

robina80 · Nov 19, 2013, 9:44 AM

any help in how about going about this?

i want the server lan to talk to the public lan but I DONT want the public lan to talk to the server lan

thanks

georgeman · Nov 19, 2013, 7:46 PM

On the "server" interface, keep the allow all rule as usual
On the other interfaces, add a blocking rule with destination "server net" above the "allow all" rule

SysIT · Nov 20, 2013, 6:44 PM

The fun apart about blocking specific traffic between LAN networks is you have to dig down into all of the windows / Linux servers and protocols and what ports they use

Considering things like DNS, NetBios, network shares and so on pending on if your using windows or linux or both.

It is usually easier to just allow all ports below 1024 out to cover them all vs making very specific rules.

robina80 · Nov 21, 2013, 5:32 PM

so if im right in saying on the firewall set up, rule 1 is the default rule lets say i deny all traffic in/out
but
if i create rule 2 so that the server lan can talk to the public lan it will override rule 1 as this is before rule 1?

does that make sense

rob

johnpoz · Nov 21, 2013, 10:22 PM

Why would you call a lan segment "public" is beyond me..

Where do you want your other segments to be able to talk? Out the internet that I assume is your wan interface?

So your setup is pic 1? Please point out if your setup different

So everyone should be able to talk out the wan and to the internet. And Server segment should be able to create traffic to DMZ and Public. But dmz and public should not be able to create traffic to either each other or server.

So servers rules are just allow all any any. Easy this should be your default lan rules. Lets assume that dmz and public are your opt1 and opt2 interfaces and have NO rules to start with.

I would create 2 aliases - you could do it with one, but 2 makes it clearer.

Call 1 Server-DMZ
Call 2 Server-Public

So in 1 you put Server Lan and DMZ lan – kind of like second pic

Where I have my lan and wireless

Then in 2 put Server Lan and your Public lan

Then on those interfaces create a rule like what I have on my dmz interface - 3rd pic

Where I say you can go anywhere as long as not locals (!Locals) you would use your aliases

So on your public interface you would use alias 1 server-dmz and use ! (not) so you would say hey public you can go anywhere as long as its not server or dmz

Then on dmz interface use alias 2 server-public with not ! -- which says hey dmz you can go anywhere except for server and public.

So in that setup any ips in server segment could create traffic to dmz or public and dmz or public could answer, but dmz or public could not start a conversation or create traffic into server or public.

Does that help?

robina80 · Nov 28, 2013, 10:06 PM

sorry for the delayed reply , this is great help thanks alot for your help!!!

so basically set up different aliases and set the aliases different rules to talk to different aliases