Blocking Access Between Subnets/Interfaces

mjpatera

Let me start by saying I've only been using pfSense for about a week so I really don't know what I'm doing. I've got everything setup and working with just the default firewall settings. I've searched the forums but can't find exactly what I'm looking for.

My network interfaces are setup as below:
pfSense 2.3.3 running on Dell Optiplex 790 with 4 NIC's
-WAN
-LAN- 192.168.1.xxx- DHCP Server Enabled On LAN- NAS, my PC's,
-OPT1- 10.0.1.xxx- DHCP Server Enabled on OPT1- IoT devices, kids iPads, TV's, Guests
-OPT2- 10.0.2.xxx- Security Camera Server

Everything works and connects to the internet like I want but the issue i'm having is that all interfaces are also communicating with each other. I can ping any device connected to OPT1 while I'm connected to LAN. I want all interfaces to have access to internet but don't want them talking to each other.
I've played with a few firewall rules on all interfaces trying to block traffic but it's not working. I can check the box to block private networks on the interface setup tab and it will block traffic like I want but it also blocks internet access.

What rules do I need to create to accomplish this? Thanks in advance for the help.

johnpoz

Rules are evaluated on interface traffic enters pfsense top down first rule wins and no other rules are evaluated.

If you do not want opt1 to talk to lan then top rule block opt1 network from lan network on the opt1 interface tab in firewall, your allow rules to internet after that..

example attached of how I do it..

So I let my dmz segment (just an opt interface)

Ping pfsense address in the dmz
Use dns on pfssense dmz address
allow devices on dmz segment to talk to my ntp servers
BLOCK all access to any other firewall IP, be it dmz interface, lan interface, wan interface, etc.
I then allow any any as long as its not to a local network.. ie the ! (bang) or NOT rfc1918 - that alias contains 10/8, 192.168/16, 172.16/12 so if our going to any of my other networks or any future network I bring up you wold be blocked - but as long as your not going to a rfc1918 address (ie the internet) then your allowed.

nfr

Make sure to create these rule above the allow to any rules. First create a LAN rule blocking traffic out of your LAN to OPT1 by using the OPT1 net network as the destination. Create a second rule to block LAN to OPT2 by using the OPT2 net network as the destination. On the OPT1 network create rules blocking traffic destined for LAN and destined for OPT2. On OPT2 create rules blocking traffic to LAN and OPT1.

If you want to get to devices from the LAN to the other side just disable or remove the rule blocking the traffic from that network to the one you want to access.

mjpatera

Thanks for the help guys. That worked. I thought I had tried that already but apparently I did something wrong.

mjpatera

Hey guys,

These firewall rules have been working for me but I want to modify it a little. I still want to block all traffic between LAN and OPT 1, except for one specific IP address. Can I add a pass rule to the top of the list allowing traffic to the single address then have the block OPT net under that? I have a FreeNAS box and my personal laptop that I keep on the LAN network and everything else in the house connects to OPT1. On the FreeNAS I have installed a PLEX add-on so it's IP address is also on the LAN net. I want everything on OPT1 to be able to talk to the PLEX IP address but be blocked from everything else on that network.

Thanks
Mark