Allow all between interfaces
-
^ exactly you notice in my example rules I have dns open to the firewall interface in that network.
Clients on this segment use pfsense IP in that network as their dns.
What is the point of blocking traffic to vlan 13? Is it not rfc1918 space?
You should allow what you want to the firewall, then block to firewall - because your rule that is allow ! rfc1918 is going to allow traffic to pfsense wan if it not rfc1918
Was just reading this guy's blog:
https://calvin.me/block-traffic-vlan-pfsense/
He puts an explicit rule to block certain traffic to other vlans on his guest network. I guess that doesn't matter when you have that rule with ! rfc1918.
So for rule order, I would allow say, certain host address to allow to vlan## or to pfsense GUI (via alias I guess), then start blocking in general like the ! rfc1918 rule?
Basically one vlan is setup so it has access to WAN, and few select hosts (say 192.168.15.203-205) can access another vlan's specific host (say 10.10.10.173), the rest should be blocked off from accessing anything else other than WAN. And of course no one can access PFgui except maybe 1 IP (my smartphone etc) or something like that. Or I guess doesn't even have to since I have my admin vlan to access everything anyways.
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
-
That blog is a little old. Probably 2.1.5 since he didn't use This firewall.
Here's is guest access in a nutshell:
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet) -
That sounds good, but to confirm can one of you post a good Guest Vlan setup? Do I really need ping to pfsense?
Here's my revised setup so far for "guest".
-
VLAN28 address has nothing to do with traffic out the WAN. What you probably need is a pass rule for DNS being served by pfSense. What DNS servers are you giving to hosts on VLAN28 with DHCP, etc?
Don't confuse inability to resolve names with inability to pass traffic.
Still trying to understand the way pfsense administers DNS via the resolver or forwarder.. There was nothing like this on zeroshell, all it has was DNS static entries for each DHCP range.
I'm using PIA's dns servers which are defined in the General tab. Not sure if they are pushed to the clients or not..
Well you kind of have to be sure. It's the thing that makes the most sense if the hosts are configured to use pfSense as their DNS server and adding that rule fixed "the internet."
Would it be possible to explain more on the DNS resolver or forwarder and how that works or what typical settings one would need on a simple home setup? Like I mentioned before, this is what I have on Zeroshell in relation to DNS.
-
LookSee Reply#16, i.e. Allow internal to This Firewall 53 for DNS server.
Server as Forwarder/cache; dispatch requests to DNS servers in System General Setup.
Server as Resolver/cache; dispatch requests to "The Root Servers". -
You need ping if you need ping. You don't if you don't.
I, personally, pass ping to the users' default gateway and DNS servers as a matter of courtesy in case someone clueful is trying to debug something.
I don't know why you don't pass what you want them to access then reject any to This firewall. Then reject any to RFC1918. Then pass any.
The only time what won't work is if you have subnets on public addresses then you'll need another alias for those.
I would love to see a Local subnets automatic alias like This firewall.
-
With Derelict here, this is right on target
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet)There is never going to be a perfect setup that you can just clone because every setup is different.. If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble. Maybe you should just stick with a off the shelf device that doesn't really even allow you control..
Out of the box pfsense does not provide authoritative name server, like bind can be authoritative.. dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain. If what you want is an authoritative name server, then install the bind package in pfsense. Bind can then either forward or resolve. You don't seem to understand the difference between a forwarder and a resolver?? If that is the case your most likely going to be happy with just the forwarder. Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab. Simple…
edit: forwarder not resolver, edited..
-
With Derelict here, this is right on target
Pass the local assets guest hosts need (DNS, etc)
Reject the local assets you don't want them to access (RFC1918, other VLANs, This firewall)
Pass everything else (The internet)There is never going to be a perfect setup that you can just clone because every setup is different.. If you don't understand the concepts even at a basic level and are just wanting to copy a config your in trouble. Maybe you should just stick with a off the shelf device that doesn't really even allow you control..
Out of the box pfsense does not provide authoritative name server, like bind can be authoritative.. dnsmasq (forwarder) and unbound (resolver) are not really meant to be authoritative for any domain. If what you want is an authoritative name server, then install the bind package in pfsense. Bind can then either forward or resolve. You don't seem to understand the difference between a forwarder and a resolver?? If that is the case your most likely going to be happy with just the resolver. Your clients ask pfsense for www.google.com, it forwards that to the name servers you put in the general tab. Simple…
It's a given there's never a perfect setup but I prefer starting from an example which most people use and work off from there. Doing from scratch I may miss a rule that should be in place. I understand the rules but just don't know which to apply want to make sure the order is correct.
Example I'm used to in ZS would be, everything is blocking between vlan but then I allow a rule for a single host or range to access another vlan's full subnet or just another single host. There isn't any need for "allow" **** in ZS so that's a new concept to me. Also in ZS, I don't need to allow DNS (53) in order to resolve internet addresses, since the way ZS works is with iptables, using the forwarding chain as the main filter between interfaces/vlans. Totally different concept, hence why I just wanted a example of rules most people use then I work off from there obviously.
-
so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.
-
so my example given would be a start, just leave out the ipad rule I have in place to allow my ipad to go where ever it wants.
Sounds good, so basically
client specific rules to allow
allow DNS
block webui
!RFC1918 disallows to any other local network but passes all other traffic to WANIn terms of blocking, is the last 2 sufficient on a guest only vlan?
-
depends! Are there some vlans you want the guest to talk to?
-
depends! Are there some vlans you want the guest to talk to?
Not for true guest, I want it basically strictly internet/wan only. There are some vlans I would permit some limited access to certain hosts on another vlan but that's easily done with the specific allow rules placed at the top of the list correct?
-
Don't get wrapped around the axle about blocking the webgui. Block everything to destination This firewall after passing what they need to have access to like DNS.
