Access to Pfsense Portal
-
dude how freaking hard is a screen shot?? Really!!
Isn't this easier to read ;)
-
Here you go, with the screen capture.
-
Yes much easier to read.. Well your vlan20 is only blocking access to vlan20 address.. After that you have a any any rule.. So yeah you can pretty much do anything you want as long as your not talking to the IP of pfsense vlan20.
If you don't want a network to talk to ANY address on the firewall then use the the firewall alias as dest. See my rule.
That would stop traffic to any IP on pfsense, be it wan, lan or any other vlan, etc. If you want to just stop access to the portal, then put in dest port your running http/https on. If you want to just use dest any with this firewall. Make sure you allow what you want before the block. Ie dns prob needed ;)
So for example. In my dmz rules - I allow ping to pfsense IP on dmz address for ipv4 and ipv6. I then allow DNS to the dmz address. But then I block all other access to any other pfsense IP address on anything. I then have allow rules that allow traffic as long as your NOT (!) going to any of my other networks. Listed in the aliases.
-
I have on the VLAN 30 that blocks incoming into the VLAN address. That should block any source for going there. IF I am on VLAN 20, with the present rules I can access the 192.168.30.1 address. This is what I do not understand.
-
Your reject rule on VLAN30 block only the access to the VLAN30 interface address, not the access to other interface addresses.
But your goal is to block any access to the firewall, right? So an advice: pfSense has a nice alias for that. In the block rule select at destination "This Firewall (self)", so you get what you want.
-
"I have on the VLAN 30 that blocks incoming into the VLAN address. "
That only blocks it if your coming into the vlan 30 interface.. Not when your coming from another interface like vlan 20.
Rules are evaluated on the interface that pfsense FIRST sees the traffic.. Rules on vlan30 block traffic coming into pfsense from vlan30.. Has zero to do with traffic that would enter pfsense from say lan or vlan20 or vlanXYZ..
Think of it this way. Your interfaces are doors into a building (pfsense).. These doors have doorman on them.. They look at a list, your either allowed or your not on the list and denied by the default deny rule. Or there might be a special item on the list that says hey billy is banned from entering the building. Or you might have a rule that says hey billy can come in as long as he is only using the bathroom..
So you need to make sure the doorman at all these doors have a list that has the rules you want them to follow. If billy comes in door A, because doorman A says sure billy can come in. There is nothing stopping him from leaving the building out door B.. Or going over to door B and hitting the doorman on the head ;)
You can get really fancy with floating rules and actually put rules on exit of door. But really those are only for special cases. Just think of your interfaces as doors and write your rules that allow or block what you want as someone enters there door.
-
"I have on the VLAN 30 that blocks incoming into the VLAN address. "
That only blocks it if your coming into the vlan 30 interface.. Not when your coming from another interface like vlan 20.
Rules are evaluated on the interface that pfsense FIRST sees the traffic.. Rules on vlan30 block traffic coming into pfsense from vlan30.. Has zero to do with traffic that would enter pfsense from say lan or vlan20 or vlanXYZ..
Think of it this way. Your interfaces are doors into a building (pfsense).. These doors have doorman on them.. They look at a list, your either allowed or your not on the list and denied by the default deny rule. Or there might be a special item on the list that says hey billy is banned from entering the building. Or you might have a rule that says hey billy can come in as long as he is only using the bathroom..
So you need to make sure the doorman at all these doors have a list that has the rules you want them to follow. If billy comes in door A, because doorman A says sure billy can come in. There is nothing stopping him from leaving the building out door B.. Or going over to door B and hitting the doorman on the head ;)
You can get really fancy with floating rules and actually put rules on exit of door. But really those are only for special cases. Just think of your interfaces as doors and write your rules that allow or block what you want as someone enters there door.
That is what I understand how firewall works. But in this instance, the doorman is only screening people/traffic going out of the door (VLAN30) and don't care about people coming in. For instance, I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface, eg I can ping VLAN30 address 192.168.30.1 as well as access the pfsense Web UI. What is your take on this?
-
"I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface,"
Dude your not getting it!!! Traffic is INBOUND into an interface.. If vlan 20 is allowed to talk to the IP, then doesn't matter what rules if any you have on vlan30.. If the traffic enters pfsense via vlan20 interface.
Your not "going into the interface" when you came from vlan20..
-
"I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface,"
Dude your not getting it!!! Traffic is INBOUND into an interface.. If vlan 20 is allowed to talk to the IP, then doesn't matter what rules if any you have on vlan30.. If the traffic enters pfsense via vlan20 interface.
Your not "going into the interface" when you came from vlan20..
Well, the rule in VLAN20 says that it is allow to talk to the world that does not mean that all the world interface must allow it access…
-
Yeah it does..
If you don't want traffic from vlan 20 talking to vlan 30, then you need a rule that stops it on vlan 20.. That is HOW it works… Pretty much that is how every single firewall on the planet works ;)
Pfense is your house with doors on it.. Front door, back door, side doors, etc.. Where does it make sense to stop traffic before you enter the door. Or after your inside the house.. Your not even leaving the side door, your just touching the inside of the side door.. What rules is suppose to stop you from doing that?? The rule the door man has standing outside the door waiting for people to enter that door??
Here you have can have any rule you want on vlan 30 INBOUND to that doorman.. If you have a rule on another vlan that allows the TRAFFIC - yeah I can go hit the doorman on the head (access portal) Does not matter what the vlan 30 doormans inbound list says.
Even if you put in a rule for outbound traffic in floating for going out the vlan 30 door. Still does not stop you from hitting the doorman on the head because your coming from behind him. Your already inside the house!!!
https://youtu.be/rkcGm-pWwsQ