Dedicated management port for pfSense
-
Hi all,
I was wondering if there is a way to dedicate an interface to be a management interface in its own VRF like what quite a few appliances/routers etc… are doing today.
The values are:- management traffic stays within the VRF
- you can have a default GW to an OOB network
- the traffic processed by pfSense over other interfaces in the default routing table would never reach the management VRF and you don't need to maintain a policy to protect access to pfSense management.
The problems are:
- I would expect the pfSense GUI would have to be VRF aware and be able to control interfaces outside this VRF - it is definitely not available today
- I was thinking about a workaround by leverage setfib in FreeBSD but again, I am not sure how much can be done outside the GUI when it comes this kind of fundamentals.
Has anybody looked at something like that in the past?
Thanks.
-
A quick glance at Wiki about VRF and it has nothing to do with interfaces, just routing. Is there a reason why you want to route the management interface differently? Routing is not a security feature. Using routing to implement security is just asking for trouble.
If you want to make a secure interface, either have a dedicated physical interface or use a VLAN, then use the firewall to block all other interfaces from accessing PFSense directly. Firewalls add security.
If I am making some bad assumptions, someone please correct me. I am not familiar with VRFs.
-
Well, it's pretty common for network devices to be managed in a separate network, even separated routing-wise.
This ensure that compromised end-services can't reach all management network functions in a routed enviroment.
Basically, your control interface should be separated from your functional data-path, ideally.
-
Using routing to implement security is just asking for trouble.
It is not implementing security per se, it is just enforcing a very strong separation to keep the management interface totally isolated from the operation of the firewall itself.
If I am making some bad assumptions, someone please correct me. I am not familiar with VRFs.
SoulChild provided you with a nice justification which matches exactly what I am trying to do.
-
I think the closest you'll come to with pfSense at the moment is using a dedicated management NIC or VLAN as "LAN" while installing pfSense so it ensures, the anti-lockout rules etc. are only enforced (when selected) on that mgmt interface. On all other NICs don't allow access to the firewall per se or explicitly block it with a floating rule from anywhere other than mgmt.
That doesn't isolate the mgmt interface routing wise though. This option indeed would be nice to have, as otherwise it can happen that one created asymmetric routing for devices that reside on mgmt network but are routed OOB via another gateway.
Some thing like VRF or even the ASA-like security contexts would certainly be nice to have.
-
I think the closest you'll come to with pfSense at the moment is using a dedicated management NIC or VLAN as "LAN" while installing pfSense so it ensures, the anti-lockout rules etc. are only enforced (when selected) on that mgmt interface. On all other NICs don't allow access to the firewall per se or explicitly block it with a floating rule from anywhere other than mgmt.
That doesn't isolate the mgmt interface routing wise though. This option indeed would be nice to have, as otherwise it can happen that one created asymmetric routing for devices that reside on mgmt network but are routed OOB via another gateway.
Some thing like VRF or even the ASA-like security contexts would certainly be nice to have.
Yep, my problem is the OOB I have is fairly large and I need the devices to be able to have their own gateway so whoever is coming internally from a non-connected network to the LAN interface can get back to it.
Let's say pfSense LAN interface is on 192.168.0.0/24, then I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface.
-
If this were linux, you could use network namespaces for this. But then you're really into uncharted waters with PFSense, I think…
-
" I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface."
You would not connect a downstream router via the "lan" you run into asymmetrical routing that way. If you need to connect downstream router to pfsense then that would be via a transit network. You don't put hosts on a transit. If you do everyone of those hosts would need to have host routing to tell them which gateway to use to get to which network, etc. Its a logistic nightmare which is why you use transit networks to connect routers.
Isolation of what interface you use to management pfsense very simple. Create a new network and use that network as your management be it you use a whole physical interface for this or a vlan is up to you. Generally speaking if you want an isolated managment network use of the "lan" would be good since it has the antilock rules on it. Then all your other networks connected to pfsense would be on opt interfaces or vlans running on lan or opt interfaces. But again when connecting another router be it downstream or even stream of pfsense it would and should be via a transit network.
-
If this were linux, you could use network namespaces for this. But then you're really into uncharted waters with PFSense, I think…
Agreed but then on linux there is no pf ;-)
-
" I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface."
You would not connect a downstream router via the "lan" you run into asymmetrical routing that way. If you need to connect downstream router to pfsense then that would be via a transit network. You don't put hosts on a transit. If you do everyone of those hosts would need to have host routing to tell them which gateway to use to get to which network, etc. Its a logistic nightmare which is why you use transit networks to connect routers.
Isolation of what interface you use to management pfsense very simple. Create a new network and use that network as your management be it you use a whole physical interface for this or a vlan is up to you. Generally speaking if you want an isolated managment network use of the "lan" would be good since it has the antilock rules on it. Then all your other networks connected to pfsense would be on opt interfaces or vlans running on lan or opt interfaces. But again when connecting another router be it downstream or even stream of pfsense it would and should be via a transit network.
Thanks ! I am not entirely sure I got your point except that it's likely to be messy which I know well ;-)
I will keep it simple for now and just add a route to my few networks in my out-of-band management network.
