Blocking routing (and all traffic) between two LAN's?

jcpro · Apr 12, 2016, 9:33 PM

Hi all,

I've got one of OVH's dedicated cloud clusters running ESXi 6.0.
Along with the default installation they provide to the customer (me) they have setup a few Virtual Port Groups that are essentially their own switches that don't communicate with each other. OVH have labelled the Port Groups LAN5000, LAN5001, LAN5002 etc if you're familiar.

I have pfSense 2.3 configured with virtual NIC's connected to each of these Virtual Port Groups.
I've discovered that hosts connected to each Port Group can ping each other when they are configured to receive an IP from pfSenses DHCP server. When hosts are configured with static IP's they cannot communicate with each other so it appears pfSense is allowing routing between the LAN's.

How do I configure firewall rules to prevent hosts from communicating with one another if they are connected to these different Port Groups but still allow them to see the internet?

I looked at implementing VLAN's but OVH don't actually give me permission to modify some of the network level elements that they have provided within ESXi 6.0 and to be honest I'm not sure if VLAN's are entirely necessary if I can accomplish the same thing with firewall rules. I could be entirely wrong on this and maybe VLAN's are what I'm supposed to be using in this scenario but I'm lacking knowledge in this regard.

This is an overly simplistic diagram of the pfSense environment:


WEB - WAN
         \- LAN1 - Hosts
         \- LAN2 - Hosts
         \- LAN3 - Hosts
         \- LAN4 - Hosts
         \- LAN5 - Hosts

Hugovsky · Apr 13, 2016, 8:26 AM

@jcpro:

How do I configure firewall rules to prevent hosts from communicating with one another if they are connected to these different Port Groups but still allow them to see the internet?

Use gateway in the rules.

johnpoz · Apr 13, 2016, 8:50 AM

So what are you networks on these connections? example

lan 1, 192.168.1.0/24
lan 2, 192.168.2.0/24
lan 3, 192.168.3.0/24

So on those interfaces for each lan create rules that block access to the other networks. You could do it all in 1 rule, you could do it in individual rules..

So I am guessing you have any any rules on these interfaces? So above the any any rule place a block rule for the source of that network and where you don't want it to go.

So source would be lan1 net, dest would be lan2 net block.. etc.. Or just create an alias with your networks in it and use that alias in the block..

JasonJoel · Apr 14, 2016, 1:31 AM

For instance, on my guest wifi VLAN interface I have a IP4 allow any rule at the bottom of the rule list, and above that I have a rule like this to block any of those devices from connecting to my main home lan:

Type BLOCK
Protocol IPv4
Source GUEST_WIFI net
Port *
Destination LAN net
Port *
Gateway *
Queue none
Schedule
Description Reject GUEST_WIFI to LAN

jcpro · Apr 15, 2016, 3:21 PM

@johnpoz:

So what are you networks on these connections? example

lan 1, 192.168.1.0/24
lan 2, 192.168.2.0/24
lan 3, 192.168.3.0/24

LAN1 - 192.168.100.0/24
LAN2 - 192.168.101.0/24
LAN3 - 192.168.102.0/24

So on those interfaces for each lan create rules that block access to the other networks. You could do it all in 1 rule, you could do it in individual rules..

So I am guessing you have any any rules on these interfaces? So above the any any rule place a block rule for the source of that network and where you don't want it to go.

So source would be lan1 net, dest would be lan2 net block.. etc.. Or just create an alias with your networks in it and use that alias in the block..

I got it working but I'm really unsure if this is a best practice way to accomplish this, essentially I created aliases for every LAN network excluding the network I want to apply the rule to as shown below:

Then I added a block rule above the 'allow any any' rule so things look like this now and this seems to have accomplished what I need:

JasonJoel · Apr 15, 2016, 4:32 PM

I would typically just use the network definitions already available on an interface and use one rule per network instead of making an alias, but that works too.

johnpoz · Apr 15, 2016, 5:22 PM

simple solution if you don't want these vlans to talk to any other vlans you have is to just create a rf1918 alias that contains all the rfc1918 space 192.168/16, 10/18, 172.16/12 and then just using that in your rule as either block or allow if ! rfc1918 (not).. I do this for example with my guest wifi network.

So you see I allow ping to pfsense, then block all access to any IP of pfsense.. This rule is nice because it even blocks access to wan IP.. And then have allow that says hey as long as your not going to rfc1918 space your allowed. So this allows access to internet, but prevent any access to any other of my networks.

If I wanted to allow something you can just put an allow about.. Say for example on my wlan segment (my wifi devices) allow access to my plex box, my harmony hum and dvr, ntp etc.. But then I again block it from talking to any IP on the firewall other than dns and ping. Then at the end allow them to go where ever they want as long as not any of my other rfc1918 networks.. Keep in mind this also blocks them talking to any my vpn connections, but vpn connections are allow to create connection to them..