1 WAN share with Multi LAN (different subnet) + DMZ

Wepee

Hi All,

I have gone through pfSense 2.1 draft guide and doing a lot of google search about this
topic, went to the forum to look for answers, still  I am running to dead ends.

So, I wondering myself, what I could possibly went wrong in my configuration? :'(

I found on the pfsense wiki about Multi-LAN Setup:

But, the information on this wiki is very brief and it did not help me much.

My Goal:

1. Creating LAN 1 = for company users in the company only.

2. Creating LAN 2 = for guest users in the company who has restrictive access to the internet.
   only, certain TCP traffic are allow, like HTTP+HTTPS, DNS, SMTP, POP, IMAP.

3. Creating DMZ = for webserver, outside WAN traffic cannot gain access to the local network at LAN1.

Note, it will be a lot easier than using VLAN on pfSense and VLAN switch to achieve my goal.
But that is not the point here, the point is to prove whether Multi LAN is doable or not! :D

I suspect, I have messed up my firewall rules.

Currently, I have the following set up and running:

1 WAN - using ASDL modem

3 Subnets, 3 network cards installed on the pfSense PC.

PC network configuration:
IP = 192.168.3.2 (Testing PC)
Subnet Mask = 255.255.255.0
Default Gateway  = 192.168.3.1
Preferred DNS server = 192.168.1.1 (pfSense Server)

LAN 1 = 192.168.1.0/24 subnet (main network), left Gateway = None (Working fine, no problem)

LAN 2 = 192.168.3.0/24 subnet - using OPT2 - OPT2VIANIC, left Gateway = None (problematic)

DMZ = 192.168.2.0/24 subnet - using OPT1- OPT1DMZ, left Gateway = None (problematic)

If I go to System-> Routing-> System: Gateways
My default gateway is the following:

Name = WANSISNIC_PPPOE (default) -> using as the default gateway.
Interface = WANSISNIC
IP = 192.228.196.254 (public WAN IP address- dynamic IP)
Monitor IP = 192.228.196.254
Description = Interface WANSISNIC_PPPOE Gateway

If I go to Services-> DNS Forwarder-> Services: DNS forwarder
DNS forwarder = ENABLED
Interface = ALL available interface (highlighted in light blue)

By default in pfSense, there are NO Firewall Rules in OPT.

So, I follow the pfSense wiki on creating the LAN + DMZ rules:
https://doc.pfsense.org/index.php/Example_basic_configuration

I start of by creating rules for ICMP (ping) and HTTP traffic for
LAN 2 = 192.168.3.0/24 subnet - using OPT2

Below is my screen shot of my Firewall rule configuration settings:

The result is
Pinging to from 192.168.3.2 to 192.168.3.1 pfsense network interface for OPT2VIANIC - works getting replies.
Pinging to from  192.168.3.2 to www.yahoo.com - works getting replies.

Browsing the internet: Typing www.yahoo.com on the browser, it failed to load.
Have done the correct firewall setting? :-[

Appreciate if someone can give me some tips in solving my problem.

Thank you.

[/font]

nwebber

Yahoo uses https (port 443) … and redirects you there even if you started on http (80). Many other sites also do that. Add another rule allowing https.

johnpoz

Also your 2nd and 3rd rules are pointless.. In first rule you allow udp/tcp 53 to anywhere, so a 2nd rule allowing it to 192.168.1.1 meaningless

3rd rule allows icmp to segment the interface is on.. Rules are inbound to the interface, so client on that network, pinging other device on that network would never even talk to pfsense interface.

And then rule below that says anything on that network can ping anything anyway..  But if you want to allow ping to host, the the dest would be OPT2VIANIC address, not OPT2VIANIC net

Wepee

@nwebber:

Yahoo uses https (port 443) … and redirects you there even if you started on http (80). Many other sites also do that. Add another rule allowing https.

Ok, I will add a firewall rule for traffic HTTPS and see whether I can browse or not. :D

Thanks.

Wepee

@johnpoz:

Also your 2nd and 3rd rules are pointless.. In first rule you allow udp/tcp 53 to anywhere, so a 2nd rule allowing it to 192.168.1.1 meaningless

Yes, you are correct, one of the rules are redundant! :P

Wepee

Hi All,

Ok, after busy working for several days, coming back to this project…..
I still back to square 1. That is the problem is still unsolved - after I have another
attempt on trying different firewall rule configured.

I just couldn't getting my LAN PC to ping to the PC on another subnet = 192.168.3.2 /24

PC at 192.168.3.2 /24 cannot browse the Internet. Even though, I have stick in
a rule for http + https traffic to flow in from WAN to the 192.168.3.1 interface.

I am confused in setting the firewall rule in pfSense.

I have uploaded a diagram in this post, and hopefully someone can
give me some advice on how Firewall Rule actually works.

**Questions

1. the Firewall rule is actually the ingress filtering for pfSense, correct? ::)

2. If it is really dealing with ingress filtering, then Firewall rule is where you
   configure the filtering rule for INCOMING TRAFFIC (A), and does not apply
   to OTHER TRAFFIC, am I correct? ???

3. How about INCOMING TRAFFIC (B), which is the outgoing traffic from 192.168.3.2 PC,
   entering 192.168.3.1 interface, does pfSense Firewall rule also do filtering on this traffic as well?  :-[
   [/b]

Most appreciated if someone can guide me here! Many thanks! :D

**

johnpoz

Dude this is not difficult.  Yes rules are inbound to the interface..

If you want lan to ping opt2 then rule is on lan interface..  Return traffic is taken care by the state.

This points me to you putting the rules in the wrong place
"I have stick in a rule for http + https traffic to flow in from WAN to the 192.168.3.1 interface."

That does what?  Do you want to NAT inbound traffic (port forward to pfsense lan interface?)

If you want clients on lan to talk to the internet, then LAN rules need to allow the ports you want - http and https kind of given to allow.

Why do you have dns set to 192.168.1.1 on your dmz and opt2??  Do you have rules allowing that, they should point to the IP of the pfsense interface in that network, 2.1 and 3.1 for dns.  Your dns forwarder would normally be listening on all pfsense IPs

This really is click click done..  Quite often I see users having software firewalls on the boxes - so for example, by default widows box in opt2 is not going to answer ping from lan network..  By default it only answers to stuff in its own segment.  You need to either adjust your local firewalls or disable them in this sort of setup.

In setting firewall rule in pfsense - think of your self as the client talking to pfsense - so the interface you talk to..  Where do you want to allow the traffic to go??  From the client on that segment rules are inbound to pfsense – from client point of view, rules show where it can go!!  Return traffic is taken care by the state table.

Now you can get fancier with outbound rules using float, but lets not go there until you have your segments talking to each other ;)

Wepee

Hi John,

As you can see I am not an experienced network geek here.
But thank you for offering your guide. :D

Please let me say this, pfsense firewall rules examples are hard to
find, I have google this topic a lot, but I found none.
Hopefully, my findings in the forum will shed some light in
how it actually works. ;)

Ok, let me digest you information slowly…..

@johnpoz:

Dude this is not difficult.  Yes rules are inbound to the interface.

So, does incoming traffic (B) shown above- coming from the subnet 192.168.3.2-
heading towards 192.168.3.1 interface considering- inbound interface, therefore,
pfSense firewall rule can used to filter this incoming traffic?? Am I right? Am wrong?  ???

OR

pfSense firewall rules only works at incoming traffic (A) shown above- traffic already
flowing inside of pfSense PC? ???

Wepee

@johnpoz:

This points me to you putting the rules in the wrong place
"I have stick in a rule for http + https traffic to flow in from WAN to the 192.168.3.1 interface."

That does what?  Do you want to NAT inbound traffic (port forward to pfsense lan interface?)

If you want clients on lan to talk to the internet, then LAN rules need to allow the ports you want - http and https kind of given to allow.

No, actually I want 192.168.3.2 or clients on the 192.168.3.0/24 network to surf the internet.
Also allow client to have…......

2. Creating LAN 2 = for guest users in the company who has restrictive access to the internet.
   only, certain TCP traffic are allow, like HTTP+HTTPS, DNS, SMTP, POP, IMAP.

johnpoz

Not sure what your googling - but first hit on pfsense firewall rules points to

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

First line tells you how the rules are interpreted
Firewall rules control what traffic is allowed to enter an interface on your firewall. Once traffic is passed on the interface it enters, an entry in the state table is created, which allows through subsequent packets that are part of that connection.

Firewall rules are processed from the top down, and the first match wins. The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

So not sure how that is not clear, but I can try and explain it better?  As I already stated traffic is seen into the interface, where do you want the traffic to go, or what do you want to do with the traffic based upon its destination IP and port, and less off the source of the traffic.  Almost always the source will be your segment network, with port of any.

So lets take a look at your rules

So client on the opt2 network wants to go to www.yahoo.com – so first thing would be dns query for the IP address of www.yahoo.com -- so udp packet to port 53 on the IP address setup in your client..  That hits pfsense opt2 interface and goes down the rules.  Oh look at that first rule says any any to udp/tcp 53 is allowed.. So traffic is allowed.. Answer to this will be allowed because a state was created.

So your clients gets back answer www.yahoo.com is 1.2.3.4 -- so send traffic from its IP (on the opt2 network) source port some random above 1024 to 1.2.3.4 on port 80.. So lets look at the rules.  So first 4 rules don't apply - so this last rule says any IP on the opt2 network from any source port going anywhere on port 80 is allowed -- that rule lets the traffic pass.  Now you get your answer from yahoo, because of the state table.  But that traffic says hey go to https (443) this url..  So your client sends new traffic going to 1.2.3.4 on 443..  None of your rules allow that - so you hit the default block and packets are not allowed to pass through pfsense.  So you don't get your yahoo.com page.

So you need to create a rule just like your last one, but that is to port 443

If you want ping your dmz..  Walk through the rules again.. So your 4th rule says IP on the op2 network on ipv4 icmp is allowed - so traffic is allowed, pfsense creates a state and sends to the IP your sending too.. This happens to be on your opt1dmz network - so pfsense sends it out.  Does not matter if you have any rules on op1dmz or not.. The traffic would be allowed back via the state table.  So if this is not working, look to firewall on the opt1dmz host.

Now if client on opt1dmz wants to ping client on opt2 you would need a rule on opt1dmz interface that is like your 4th rule on opt2..  But changing the source to be your opt1dmz network.

Rules are INBOUND to the interface..  This is all you need to worry about for basic rules.  Return traffic will be allowed via state table, you do not need to create rules for the return traffic.  You only have to create rules for unsolicited inbound traffic to the interface.  Be it the dest is the actual interface IP or some other IP beyond that interface - be it another network segment on pfsense, or the internet.

So for example lets look at my dmz rules

So you can see my first rules says hey - if your from the dmz segment on talking to udp 123 (ntp) and your going to 192.168.1.40, which is on my lan segment allowed.  Now lets say I wanted to talk to 192.168.1.40 on http 80..  No first rule doesn't match, second rule - yes I am from dmz network, and I can talk any port - but my destination IP can NOT be in that alias list which is my other local networks, lan wlan and my openvpn clients IPs.  So traffic ends up default block.

But if dmz client wanted to talk to say yahoo.com on port 80 or 443 or any other port that rule would match and the traffic would be allowed through.

Does it make more sense now?

Wepee

@johnpoz:

So lets take a look at your rules

Sorry, I have changed the URL link to my pictures upload to photobucket.
The link is up and running now, so if you don't mind, you can update the link.

Wepee

Apologies for hijacking your example.

But I need to clear out my doubts. ::)

Please see the picture below:

So, the point is, pfSense firewall rule only applies (doing filtering) to traffic that is
ENTERING the interface (traffic coming from the host/client/device/PC)
….....and not dealing with traffic that is already in pfSense and ENTERING to the interface,
heading towards the DMZ network.

johnpoz

Correct inbound is only from the outside of pfsense..  But you can do outbound with floating..  But unless your doing something special there is little use of that.

Wepee

Hmmm…..

Any idea....why ICMP traffic does not work? :-[

Please see the diagram below:

[URL=http://s1132.photobucket.com/user/liukuohao/media/Private/pfSense/pfSensFirewallRuleHTTPHTTPSTested-working-fine_zps80366ae2.jpg.html]

Wepee

OK John, solved already…case closed...check out the picture and
the wording in purple colour below.

I have to turn off both the Personal software firewall + Windows built-in firewall on
on both PCs, 1 from OPT2VIANIC net and 1 from LAN net, in order for ICMP traffic to flow.
If not I will get time-out messages

Thank you very much for your guidance!!! :)

So in summary Firewall Rule only AFFECTs the Traffic coming from the host/client/devices/PC
ENTERing the network interface- in my case OPT2VIANIC interfaced (192.168.3.1) and nothing else!!!

johnpoz

Great to hear - I mentioned software firewalls on the box your pinging back a few posts.

Why anyone would run 3rd party firewall and the built in firewall makes no sense to me..  And to be honest, unless the lan is hostile why run a software firewall at all?  Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet.  So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.

Wepee

@johnpoz:

Great to hear - I mentioned software firewalls on the box your pinging back a few posts.

Why anyone would run 3rd party firewall and the built in firewall makes no sense to me..  And to be honest, unless the lan is hostile why run a software firewall at all?  Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet.  So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.

Yeah….true...but just in case, when 1 of the PCs on the network got infected with
virus, trojan, malware, spyware & crapware.....etc, the software antivirus and firewall on
uninfected PC may helped to prevent the virus spreading.

But...hey....I am not security expert here! I may be wrong!!!!

But it is something you have than better to have no protection at all.
I guess, I would say it will be your 2nd line of defense on the bombardment of
those nasty, malicious packets, coming from the Internet. :)

Wepee

I have just uploaded another picture here.

Hopefully, for those people who are stucked with the firewall rule may
find it helpful to understand better ;D

johnpoz

"the software antivirus and firewall on uninfected PC may helped to prevent the virus spreading. "

If that was the case - how did the first machine get infected?  Antivirus keeps user from exe something that is bad..  So that makes sense to run.  Firewall blocks ports, worms in your network would use ports that are used.. If machine is not listing on port, firewall is pointless.  So other machines on your network talking to other machines via the normal windows ports.

Did you configure your machine firewalls to only allow machines to talk to say your file servers.  Running a firewall not actually configured is beyond pointless.  Since you didn't right away jump on the fact that hey we configured the firewalls to block ping from outside segments.. Says to me you haven't done boo with the configuration of them.

If you want to effectively use a firewall to control spread of worms, then they would need to be tightly controlled to only allow workstations to talk only to the specific machines they need to talk too.  If you allow file and print sharing ports for example to talk to anything on your segment - how is that firewall going to block the worm from workstation A from spreading to B?

You better be specific in the rules as well since if you allow port X both ways between workstations and servers..  Worm jumps from someone that say ran exe antivirus didn't know about - it infects serves, which in turn infect workstations.  Blocking traffic between workstations doesn't always work.

Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls.  But you have to freaking configure them to do any sort of good.  And again why would you have 2??  If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration.  If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.

Wepee

Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls.  But you have to freaking configure them to do any sort of good.  And again why would you have 2??  If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration.  If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.

Hi John,

Thank you for your input here. :D

I do appreciate your your time and effort in giving out advice. ;D

But would it be possible to type out your information is small
little bite size chunks, so that I can digest it quickly. :)

Ok, back to what I want to say…..

Yes, I know, one of my PCs from the hostile LAN was shifted to the
OPT2VIANIC network for testing internet connection.

So that PC used for testing has got a software firewall loaded.
That is why there is so much grief happened to me.

Yes, I know it would a lot of administration job to configure,
if PC has software firewall loaded on.

Basically, you are saying at any PC living at the OPT2VIANIC network can turn
off software firewall totally. Because it is cause a lot of problem since you have
pfSense firewall rule guarding the interface, and then you have another
software firewall guarding in Windows interface.