Block Communication between intefaces
-
Hi everyone. I have two internal interfaces on my pfsense rig (LAN & OPT1). I just had the need for the OPT1 interface the other day so i went through the learning process of enabling it which wasn't to bad. Though i have it working the way i want i can't stop thinking i don't have it setup optimally. When i went to setup the firewall rules for the OPT1 interface (because i don't want opt1 to be able to communicate with LAN) this is how is set it up:
Action: Pass
Interface: OPT1
Address Family: IPV4+IPV6
Protocal: any
Source: Opt1 Net
Destination: Wan Net (tried Wan Address when this didn't work).Everyone going through OPT1 didn't have internet access.
So i ended up changing Destination to 'Any' and then adding the following firewall rule:
Action: Block
Interface: OPT1
Address Family: IPV4+IPV6
Protocal: any
Source: any
Destination: Lan Netwhich seemed to achieved what i was after. So my basic questions are:
1. Why did users connection through opt1 not have internet access with the way i had it setup previously
2. Is the way i have it setup currently ok or is there a better way to set it up?I don't know if this matters but i have some confusion about the difference between 'Net' & 'Address' so don't know if thats contributing to the problem or not but i plan to ask about this in a different thread.
thanks…..
-
1 - Because "WAN Net" != "internet"
-
2 - If you want to restrict access from OPT1 to LAN, then you need to change your Destination from any to ! (not) LAN net.
-
I don't like that technique.
Block traffic to LAN net then Pass traffic to any.
IMHO traffic should not be "blocked" with a pass rule.
Something like this might happen: https://redmine.pfsense.org/issues/6799
-
Thanks. I didn't know that was the preferred method now but it makes sense.
-
@ptt:
1 - Because "WAN Net" != "internet"
Can you be more explicit? I always thought of the WAN side of any router type device as the internet. Where is my understanding flawed?
thanks
-
I don't like that technique.
Block traffic to LAN net then Pass traffic to any.
IMHO traffic should not be "blocked" with a pass rule.
Something like this might happen: https://redmine.pfsense.org/issues/6799
From your description it sounds like the way i have it setup is just fine….
-
Yes as long as the block rule is placed above the pass rule.
-
@ptt:
1 - Because "WAN Net" != "internet"
Can you be more explicit? I always thought of the WAN side of any router type device as the internet. Where is my understanding flawed?
thanks
WAN Net refers to the network (or single IP) that your WAN interface has.
Usually it is your WAN IP, as assigned from your ISP. Some ISPs offer multiple IPs.
-
Can you be more explicit? I always thought of the WAN side of any router type device as the internet. Where is my understanding flawed?
In a pass rule you can limit outgoing traffic to only a specific internet ip network and that is exactly what you do as the WAN Net is only the transit network leading to the rest of the internet. Your OPT1 clients would be able to send traffic to every node on the specific ip network that the WAN ip reside in but traffic with another destination address wouldn't be passed by that rule.
-
"WAN Net is only the transit network leading to the rest of the internet."
Exactly!!!!! I really just do not how people confuse wan net with "internet" It says Wan Net right in the name, not All other networks not local ;)
You can think of the wan as the internet, but you have to understand that your connected to the internet via a transit network.. Not the whole freaking internet ;)
-
Internet = networks interconnected by using other networks that serve as these "transit networks". That may be hard to picture in your mind at first but once you start thinking along the lines of how you would connect your own LAN network at your home to another LAN network at your friend's house (assuming it's just a matter of laying a cable between them) and take that idea to a larger scale with multiple networks it should start making sense.
-
"WAN Net is only the transit network leading to the rest of the internet."
Exactly!!!!! I really just do not how people confuse wan net with "internet" It says Wan Net right in the name, not All other networks not local ;)
You can think of the wan as the internet, but you have to understand that your connected to the internet via a transit network.. Not the whole freaking internet ;)
Being they use simplistic ideas of what's going on. They just memorize terms like "network" and assume it always means the exact same thing in all contexts until they run into an issue. I see the same thing all the time. Had a 10+ year storage admin who "knew" what thin provisioning meant, but didn't understand the implication when we said we needed to have a LUN backed by contiguous storage and gave us a thinly provisioned LUN. I wonder what the return policy is on a $200k SAN device that you've had for 2 months before you realized you can't control LUN layout.
-
"I wonder what the return policy is on a $200k SAN device that you've had for 2 months before you realized you can't control LUN layout."
hehehe oh that is funny… Did you pay for already? Most companies float payment for atleast 90+ days ;) Tell them it does not meet your requirements, and the person that ordered it has been flogged out back for it.. If they ever want any future business from you they will take it back or get the model that allows you to do what you want..
But I hear year, work with people that have been the field for years and years, and still don't get what amounts to basic concepts.. And then they are too scared to bring it up if having a discussion... So for example when you stated "we needed to have a LUN backed by contiguous storage" he could of just asked - and that means what exactly??
Been dealing quite a bit of late with just local switching stuff, and be amazed at how many people that have been doing it for years and years just don't quite grasp that a lagg or etherchannel/portchannel/etc is not 1+1=2, but just 2 x 1 and 1, etc.. No specific device talking to another specific device across that will ever see more than 1, etc.
Had a whole augment with a architect how you can not replace a 6509 with a 4500x and some access switches in a stack.. And they were uplinking the stack to the 4500 with 1+1 lagg.. With no clue to what the intervlan traffic was and how that could be a bottleneck.. Their thought process was that the wan link is not even gig.. Sure if you wan to save some cost and there is NO intervlan traffic, then maybe.. Production facility you have to assume intervlan, and maybe quite a bit of it.. Atleast allow for each vlan to have an uplink so your not hairpinning, etc.