Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1 WAN share with Multi LAN (different subnet) + DMZ

    Scheduled Pinned Locked Moved NAT
    20 Posts 3 Posters 37.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wepee
      last edited by

      @johnpoz:

      So lets take a look at your rules

      Sorry, I have changed the URL link to my pictures upload to photobucket.
      The link is up and running now, so if you don't mind, you can update the link.

      1 Reply Last reply Reply Quote 0
      • W
        Wepee
        last edited by

        Apologies for hijacking your example.

        But I need to clear out my doubts. ::)

        Please see the picture below:

        So, the point is, pfSense firewall rule only applies (doing filtering) to traffic that is
        ENTERING the interface (traffic coming from the host/client/device/PC)
        ….....and not dealing with traffic that is already in pfSense and ENTERING to the interface,
        heading towards the DMZ network.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Correct inbound is only from the outside of pfsense..  But you can do outbound with floating..  But unless your doing something special there is little use of that.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • W
            Wepee
            last edited by

            Hmmm…..

            Any idea....why ICMP traffic does not work? :-[

            Please see the diagram below:

            [URL=http://s1132.photobucket.com/user/liukuohao/media/Private/pfSense/pfSensFirewallRuleHTTPHTTPSTested-working-fine_zps80366ae2.jpg.html]

            1 Reply Last reply Reply Quote 0
            • W
              Wepee
              last edited by

              OK John, solved already…case closed...check out the picture and
              the wording in purple colour below.

              I have to turn off both the Personal software firewall + Windows built-in firewall on
              on both PCs, 1 from OPT2VIANIC net and 1 from LAN net, in order for ICMP traffic to flow.
              If not I will get time-out messages

              Thank you very much for your guidance!!! :)

              So in summary Firewall Rule only AFFECTs the Traffic coming from the host/client/devices/PC
              ENTERing the network interface- in my case OPT2VIANIC interfaced (192.168.3.1) and nothing else!!!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Great to hear - I mentioned software firewalls on the box your pinging back a few posts.

                Why anyone would run 3rd party firewall and the built in firewall makes no sense to me..  And to be honest, unless the lan is hostile why run a software firewall at all?  Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet.  So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • W
                  Wepee
                  last edited by

                  @johnpoz:

                  Great to hear - I mentioned software firewalls on the box your pinging back a few posts.

                  Why anyone would run 3rd party firewall and the built in firewall makes no sense to me..  And to be honest, unless the lan is hostile why run a software firewall at all?  Your border is better place for firewall if you ask me.. Ie pfsense - you firewall between your segments and between your local network and internet.  So unless you have hostile devices or devices outside your control on each segment I find a host/software firewall just extra overhead and configuration.

                  Yeah….true...but just in case, when 1 of the PCs on the network got infected with
                  virus, trojan, malware, spyware & crapware.....etc, the software antivirus and firewall on
                  uninfected PC may helped to prevent the virus spreading.

                  But...hey....I am not security expert here! I may be wrong!!!!

                  But it is something you have than better to have no protection at all.
                  I guess, I would say it will be your 2nd line of defense on the bombardment of
                  those nasty, malicious packets, coming from the Internet. :)

                  1 Reply Last reply Reply Quote 0
                  • W
                    Wepee
                    last edited by

                    I have just uploaded another picture here.

                    Hopefully, for those people who are stucked with the firewall rule may
                    find it helpful to understand better ;D

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "the software antivirus and firewall on uninfected PC may helped to prevent the virus spreading. "

                      If that was the case - how did the first machine get infected?  Antivirus keeps user from exe something that is bad..  So that makes sense to run.  Firewall blocks ports, worms in your network would use ports that are used.. If machine is not listing on port, firewall is pointless.  So other machines on your network talking to other machines via the normal windows ports.

                      Did you configure your machine firewalls to only allow machines to talk to say your file servers.  Running a firewall not actually configured is beyond pointless.  Since you didn't right away jump on the fact that hey we configured the firewalls to block ping from outside segments.. Says to me you haven't done boo with the configuration of them.

                      If you want to effectively use a firewall to control spread of worms, then they would need to be tightly controlled to only allow workstations to talk only to the specific machines they need to talk too.  If you allow file and print sharing ports for example to talk to anything on your segment - how is that firewall going to block the worm from workstation A from spreading to B?

                      You better be specific in the rules as well since if you allow port X both ways between workstations and servers..  Worm jumps from someone that say ran exe antivirus didn't know about - it infects serves, which in turn infect workstations.  Blocking traffic between workstations doesn't always work.

                      Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls.  But you have to freaking configure them to do any sort of good.  And again why would you have 2??  If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration.  If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • W
                        Wepee
                        last edited by

                        Which is my point about a hostile lan, if you consider it hostile - then sure run host based firewalls.  But you have to freaking configure them to do any sort of good.  And again why would you have 2??  If you not going to actually configure them - they are not going to do anything for you but cause headache and grief and more administration.  If you were configuring them you would of known hey - I want machines from source X to talk to my workstations have to edit the firewall configs to allow that.

                        Hi John,

                        Thank you for your input here. :D

                        I do appreciate your your time and effort in giving out advice. ;D

                        But would it be possible to type out your information is small
                        little bite size chunks, so that I can digest it quickly. :)

                        Ok, back to what I want to say…..

                        Yes, I know, one of my PCs from the hostile LAN was shifted to the
                        OPT2VIANIC network for testing internet connection.

                        So that PC used for testing has got a software firewall loaded.
                        That is why there is so much grief happened to me.

                        Yes, I know it would a lot of administration job to configure,
                        if PC has software firewall loaded on.

                        Basically, you are saying at any PC living at the OPT2VIANIC network can turn
                        off software firewall totally. Because it is cause a lot of problem since you have
                        pfSense firewall rule guarding the interface, and then you have another
                        software firewall guarding in Windows interface.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.