Need advice on some basic rules
-
I have created an experimental network at home using an SG-2440 pfSense box that heads up my access to the internet via a bridged router, so it gets an ISP IP address on WAN.
Right now, the LAN rules are set to default which I want to refine at some point to ensure that it is relatively safe and yet flexible enough to allow general end user type traffic in and out the door.
OPT1 and OPT2 are set up for internet server services such as http(s), DNS (private name servers [bind9]), mysql, haproxy(configured as pure reverse proxy, not load balancing), Canonical Landscape, Webmin(not sure why I have this, but it is powerful, just wish there was a client version so I don't need it on all my servers to bind them together). Hopefully soon a syslog server will be added once I figure out how to hook it up and log everything that can be viewed via web interface, but that is later.
All internet servers are running out of VirtualBox on a Mac Mini(16gb RAM) host that has 3 physical NICs, en0 to LAN, USB NIC is on OPT2(DMZ) and the Thunderbolt NIC on OPT1(Supposed to be Backend/Private). Both these interfaces are blocked from LAN as they should be… using the basic rules. The DMZ has limited access to specific IPs on OPT1 since the HaProxy resides on the DMZ it needs to forward requests to respective servers, and I've blocked access to LAN from OPT1 too. I suppose I could run Apple's Server software, but it's rubbish :o
The problem I am facing is how to stop the DMZ and OPT1 from access to the host machine on the USB and Thunderbolt NICs. Curiously though, I disabled the interfaces from system prefs/network and the VBox servers continued to send and receive traffic as normal, but it did prevent traffic from the VBox to Mac host, which is desirable. However not sure if the firewall states already in place kept the connections alive despite the interfaces being disabled on the Mac.
Anyway any tips on some basic inbound/outbound rules would be welcomed.
Attached is a loosely created diagram of my network.
Oh and I know I have potential double nat situation going on, but I am experimenting with the Linksys router being a full router and not just a wireless bridge. No need to comment about that ;). It is isolated and the devices connected to it are receiving the IP addresses from it and not from the pfSense box.
The blue line depicts VPN.
![Screen Shot 2015-11-25 at 22.27.17.png](/public/imported_attachments/1/Screen Shot 2015-11-25 at 22.27.17.png)
![Screen Shot 2015-11-25 at 22.27.17.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-25 at 22.27.17.png_thumb) -
Curiously though, I disabled the interfaces from system prefs/network and the VBox servers continued to send and receive traffic as normal, …
Update on this: Seems that turning off the NICs eventually closes all traffic so that isn't going to work. So I would like to know how to block traffic on the same network to a single IP address.