1 WAN share with Multi LAN (different subnet) + DMZ
-
So lets take a look at your rules
Sorry, I have changed the URL link to my pictures upload to photobucket.
The link is up and running now, so if you don't mind, you can update the link. -
Apologies for hijacking your example.
But I need to clear out my doubts. ::)
Please see the picture below:
So, the point is, pfSense firewall rule only applies (doing filtering) to traffic that is
ENTERING the interface (traffic coming from the host/client/device/PC)
….....and not dealing with traffic that is already in pfSense and ENTERING to the interface,
heading towards the DMZ network. -
Correct inbound is only from the outside of pfsense.. But you can do outbound with floating.. But unless your doing something special there is little use of that.
-
Hmmm…..
Any idea....why ICMP traffic does not work? :-[
Please see the diagram below:
[URL=http://s1132.photobucket.com/user/liukuohao/media/Private/pfSense/pfSensFirewallRuleHTTPHTTPSTested-working-fine_zps80366ae2.jpg.html]
-
OK John, solved already…case closed...check out the picture and
the wording in purple colour below.I have to turn off both the Personal software firewall + Windows built-in firewall on
on both PCs, 1 from OPT2VIANIC net and 1 from LAN net, in order for ICMP traffic to flow.
If not I will get time-out messagesThank you very much for your guidance!!! :)
So in summary Firewall Rule only AFFECTs the Traffic coming from the host/client/devices/PC
ENTERing the network interface- in my case OPT2VIANIC interfaced (192.168.3.1) and nothing else!!! -
Great to hear - I mentioned software firewalls on the box your pinging back a few posts.
Why anyone would run 3rd party firewall and the built in firewall makes no sense to me.. And to be honest, unless the lan is hostile why run a software firewall at all? Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet. So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.
-
Great to hear - I mentioned software firewalls on the box your pinging back a few posts.
Why anyone would run 3rd party firewall and the built in firewall makes no sense to me.. And to be honest, unless the lan is hostile why run a software firewall at all? Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet. So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.
Yeah….true...but just in case, when 1 of the PCs on the network got infected with
virus, trojan, malware, spyware & crapware.....etc, the software antivirus and firewall on
uninfected PC may helped to prevent the virus spreading.But...hey....I am not security expert here! I may be wrong!!!!
But it is something you have than better to have no protection at all.
I guess, I would say it will be your 2nd line of defense on the bombardment of
those nasty, malicious packets, coming from the Internet. :) -
-
"the software antivirus and firewall on uninfected PC may helped to prevent the virus spreading. "
If that was the case - how did the first machine get infected? Antivirus keeps user from exe something that is bad.. So that makes sense to run. Firewall blocks ports, worms in your network would use ports that are used.. If machine is not listing on port, firewall is pointless. So other machines on your network talking to other machines via the normal windows ports.
Did you configure your machine firewalls to only allow machines to talk to say your file servers. Running a firewall not actually configured is beyond pointless. Since you didn't right away jump on the fact that hey we configured the firewalls to block ping from outside segments.. Says to me you haven't done boo with the configuration of them.
If you want to effectively use a firewall to control spread of worms, then they would need to be tightly controlled to only allow workstations to talk only to the specific machines they need to talk too. If you allow file and print sharing ports for example to talk to anything on your segment - how is that firewall going to block the worm from workstation A from spreading to B?
You better be specific in the rules as well since if you allow port X both ways between workstations and servers.. Worm jumps from someone that say ran exe antivirus didn't know about - it infects serves, which in turn infect workstations. Blocking traffic between workstations doesn't always work.
Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls. But you have to freaking configure them to do any sort of good. And again why would you have 2?? If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration. If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.
-
Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls. But you have to freaking configure them to do any sort of good. And again why would you have 2?? If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration. If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.
Hi John,
Thank you for your input here. :D
I do appreciate your your time and effort in giving out advice. ;D
But would it be possible to type out your information is small
little bite size chunks, so that I can digest it quickly. :)Ok, back to what I want to say…..
Yes, I know, one of my PCs from the hostile LAN was shifted to the
OPT2VIANIC network for testing internet connection.So that PC used for testing has got a software firewall loaded.
That is why there is so much grief happened to me.Yes, I know it would a lot of administration job to configure,
if PC has software firewall loaded on.Basically, you are saying at any PC living at the OPT2VIANIC network can turn
off software firewall totally. Because it is cause a lot of problem since you have
pfSense firewall rule guarding the interface, and then you have another
software firewall guarding in Windows interface.