Firewall default block behaviour between interfaces
-
Hi,
By default pfsense blocks traffic between interfaces unless we specific permit correct?
But i just realized that for IPSEC interface this isn't quite true, every IP on my LAN network can communicate with the remote network of the IPSEC tunnel.
Is this supposed to be like this or bug?
-
By default pfsense blocks traffic between interfaces unless we specific permit correct?
No. A default install of pfSense will allow all from LAN, allow none from any other interface. Users on LAN can go anywhere. Users from WAN can't get into your LAN. Users on other internal networks can't go anywhere until you add at least one Allow rule.
every IP on my LAN network can communicate with the remote network of the IPSEC tunnel.
Because LAN has an Allow All rule. If you want to restrict your LAN users from the IPSec interface, change the Allow All rule (usually at the very bottom of your LAN rules) so that the Destination changes from ***** to !Your_IPSec_Interface_Name
-
OK.
But, besides LAN, all my other internal interface also can communicate with the IPSEC remote network.
For example:
LAN - 192.168.2.0/24
WIFI - 192.168.13.0/24
QA - 192.168.14.0/24IPSEC - 192.168.0.0/16 <-> 10.168.0.0/16
I can ssh from 192.168.13.x to 10.168.x.x …
or from 192.168.14.x to 10.168.x.x ...But i can't for example ssh from 192.168.13.x ou 192.168.14.x to LAN (192.168.2.0/24) which is correct because i have no allow rule for this.
But also have no allow rule in WIFI or QA to acess IPSEC remote network, so i don't know why is it working...
-
But i just realized that for IPSEC interface this isn't quite true, every IP on my LAN network can communicate with the remote network of the IPSEC tunnel.
Consider that pfSense controls traffic at the incoming interface, not at outgoing side.
-
I'm not an IPSec guy so I don't know for sure. I thought you had to have a separate network interface for IPSec, like with any interface, but you seem to have it defined so that it overlaps with all of your existing LANs.
-
@KOM:
I'm not an IPSec guy so I don't know for sure. I thought you had to have a separate network interface for IPSec, like with any interface, but you seem to have it defined so that it overlaps with all of your existing LANs.
It doesn't overlap with my LANs, the network i receive from the remote side of the IPSEC tunnel is 10.168.0.0/16 and i share all my LANs with the remote side.
-
You have some firewall rule(s) on the source interface that's allowing the traffic.
-
@cmb:
You have some firewall rule(s) on the source interface that's allowing the traffic.
Ok, it's the last rule i have on each interface that allows the ougoing to internet using my failover group of gateways:
IPv4 * WIFI net * * * WAN_FAILOVER none WIFI -> OUT FAILOVER
But why does this rule allows the traffic to the IPSEC remote networks?
-
Because you are passing from LAN to any.
IPSec and OpenVPN remote networks are automatically added to the list of "negate" networks in pf so that manually bypassing them when using policy routing is not necessary. At least that's how I think it works. Otherwise the traffic destined for your VPN would go out the gateway group instead, which is probably not what you intended. Looking at /tmp/rules.debug this is only true for interfaces containing specified local networks in the VPN configs.
If you don't want LAN to be able to access VPN assets, you can block those destinations on the LAN interface.
I believe the proper place for rules prohibiting access to certain assets over a VPN belong on the destination (incoming) VPN interface. Much like one controls their network by passing only certain traffic into WAN, one controls access to local assets from VPN clients on the incoming VPN interface.
Example: My VPN to/from networks have full /24 routes in the VPN config for both sides, with full pass rules (automatically added by the negate rules mentioned above). The rules on the far side VPN interface (the network I manage) are wide open (meaning I can connect to anything). The rules on my side (home office) allow only specific traffic such as the ability to print to my printer, ping my LAN interface, IP-PBX access to my phone, access to a couple NAS services, etc.
