New to PFSense…couple of questions
-
The principle is good - you want to allow only the traffic that is wanted, and let the default block action drop everything else, whatever it is. The problem with that going out WAN is that actually you want VLAN2GUESTWIRELESS to be allowed to all public IPs out there on the internet - it is more difficult to specify all the possible public IPs than to specify "not the private IP subnet/s on your other LANs".
Your rule as-is does the job nicely. If you make more LANs in future, then you can make an alias containing all the LAN subnets you want blocked off - call it, say, ProtectedSubnets, then put !ProtectedSubnets in the destination of your general pass rule.
Or you can put a block rule before the pass rule. Make it block destination "LAN subnet" / "ProtectedSubnets".
More than 1 way to skin a cat. -
Yes, I agree. What you have done is good.
One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.Steve
-
Yes, I agree. What you have done is good.
One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.Steve
So you're saying I should also create a rule NOT allowing access to 192.168.2.1? Or anything on that subnet probably, right? I just want anyone connected to that to see the internet, and not be able to see each other.
-
Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.
Steve
-
Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.
Steve
Can you elaborate a little more please, especially on the last two? Maybe show me a screengrab of the rules? This is all new to me, including the terminology.
Thanks,
Dan
-
See attached screen shot of my firewall rules for the WIFI2 interface, which I use for guest wireless.
I have an alias setup that contains a list of my local subnets named LOCAL. In fact it just contains 192.168.0.0/16 because I was lazy creating it. ::) Looking at it again now I'm wondering if I could add the WAN address aliases to it. Hmm. Also I have two WAN interfaces so the loadbalanced gateway is specified in the allow rule.Steve
-
This is all really over my head…LOL.
So, I edited the "no GUI" rule and just blocked all traffic on the guest WiFi VLAN that was going to 192.168.2.1. Works great. I still access if it I want to (why would I?) from the main network, but you can't access it from the guest network.
Next goal, and maybe you can help me with this, is to somehow restrict the websites my kids can go to on their new iPads (Christmas gift).
My initial thought is that I create a 3rd WiFi network for them. Currently I have HH-Secure and HH_Guest. I'm thinking of adding HH-Kids. Is there an easier way though?
What I want to do is whitelist a small group of websites that they're allowed to go to. Ideally if the try to go a website that IS NOT on the whitelist, they will be prompted for a username/password to add that site to the whitelist. This way when my wife realizes they want to go to "CoolNewCartoon.com" and she determines it's safe, she can quickly just give them access on their device without me having to edit the firewall rules. Is that even possible?
I think I'll start a new thread for that, as it may be relevant to others as well.
-
You would usually do that with Squid and Squidguard (or Dansguardian) but if you have sufficiently small number of sites you might just do it with firewall rules or some sort of captive portal exceptions list. To be honest it might be easiest to do it directly on the iPad, I'm sure there are any number of parental restriction apps available (there are for Android certainly).
Interesting what you say about your firewall rule. So you have blocked access to the host interface completely but DNS queries are still getting through? Hmm, been a while since I set mine up. Might have been under pfSense 1.2.3 and a lot has changed since then.
Steve
-
I'm going to be honest Stephen. I have no idea what the last paragraph/sentence of your post means.
I don't know how long the list of sites will be, or end up being. I'm most interested in the ability for the kids to try and view and site for the first time, IE: disney.com, and it prompting for a username/password. My wife can then decide if she wants that be a site they can access, and if so…she can fill out whatever credentials are required (on the device, in this case, the kids ipad) and they will be allowed to access that site from that point forward.
Does that make sense?
-
Ah, sorry about that. :)
It's often a delicate balancing act, here on the forum, between coming across incredibly patronising or spouting indecipherable code. Either one can be insulting or confusing or both!Can you show us a screen shot of your firewall rule?
If it's working OK for you then don't worry about it.I'm not sure any of the filtering solutions in pfSense will meet your requirements as you have described. All of them would require logging into pfSense and manually making changes, some admin work. I have almost no experience with on device content filtering, none at all on the iPad, but it seems more likely to work in your scenario.
Steve
