Firewall rule: allow Internet but block traffic between vlans?
-
I hope somebody can help me with this kinda basic question. I'm trying to set up PFSense 2.0.2 as internal router/firewall sitting between about 10 vlans and an external router. I want every vlan to be able to access the Internet (restricted by the external router) but block access between vlans completely. So I cannot use a rule in the fashion of ANY to ANY.
The only option I found so far is to create an alias of every internal network and create a rule like this
allow AllInternalNetworks to !AllinternalNetworks ANYThe careful observer will notice however that I uwillingly created a huge security hole: every internal network has now access to AdminMgmtExt! This is because I did not create a rule that states explicitly what I want it to do, but I used an ugly hack to implicitly specify what it should do instead. I really don't want to risk simply forgetting some network in my alias and thereby creating a risky setup. On every other firewall product I have used so far I would simply specify the interface of NoMansLand as destination for the rule and be done with it. This is not possible in PFSense as far as I can tell.
How should I create a bulletproof "Internet access" rule? I cannot figure it out.
-
Hi there,
- Create Alias with RFC1918 networks (10/8, 172/12 & 192.168/16)
- Create rules to interfaces or floating rule
- Action: Pass
- Protocol: Any
- From: any
- To: not "your alias"
you should be fine with that
-
Nice approach but this is still very implicit and has side-effects. I do have networks behind GwExt01 that are in the RFC1918 range accessed by VPN. And: AdminMgmtExt is in the 10.x.x.x range. So I'd have to say I'm not better of with this method.
-
Leave needed networks out of this alias or allow those separately before this rule..
-
Hmmmmm. That is brilliant. I will try to explicitly add RFC networks I want to allow and place a deny rule for all RFC networks immediatelly after. Thanks, I'll report back on how it went.
-
The suggested method of Metu69salemi works. Here is what I did:
-create an interface group "IFAllInternal", where you put in all your vlan interfaces. Every network directly connected to this interface will be able to access the internet
-create your various firewall rules to allow access between the vlans as floating rules with the quick option. This way your floating rules will be used before the internet-rule which comes last.
-create 2 firewall rules at the very bottom of the group IFAllInternal. The idea is to first block every access to any local network and in the second rule allow everything else.Advantage of this approach: this is the closest thing to default block + vlans + internet I have seen so far. You do not run into security flaws if you add a vlan in the future and forget to add it to any group. It just sits there and has no internet access and no access to the other vlans.
The rest of the stuff
The decision to put every "normal" rule into the floating rules tab is just the way I prefer to do it. I need the flexibility of floating rules and want to see every rule I create on one screen. It makes documentation a bit easier (which by the way I keep in a separate Excel sheet). I only put the reference number of the rule into the PFSense comment and organize the rest separately. See below on how my Excel-Sheet looks currently. Hope this info is of help to some of you guys out there.
-
Glad that i could help you out.