VLAN Rules?
-
I started a post with my rough start to VLAN setup, I went back to the books and I think I have thing done better but was hoping to get some help with:
- Are these rules done right for VLANs? How can I make them more restrictive? I am only looking to make them isolated from each other and the firewall, they only need internet access i.e. port 80 and 443(and DNS/port53)
- I think I can reduce them with aliases but unsure how to write an alias for a "Net".
My setup diagram is below and I have attached screen shots of my LAN and one of my VLANs.
VLAN 12 VLAN 25 VLAN 64
| | |
| | |
Unifi AP Pro…............................
|
|
|
|
|
Switch
|
|
LAN
|
|
Pfsense SG2440
|
|
WAN![LAN Rules.png](/public/imported_attachments/1/LAN Rules.png)
![LAN Rules.png_thumb](/public/imported_attachments/1/LAN Rules.png_thumb)
![VLAN Rules.png](/public/imported_attachments/1/VLAN Rules.png)
![VLAN Rules.png_thumb](/public/imported_attachments/1/VLAN Rules.png_thumb) -
Those do not look like vlans to me.. You created vlan interfaces in pfsense? Looks like you trying to put all the rules on just the lan interface??
If your AP is assigning vlan tags to your different ssids.. vlan 12, 25 and 64 in your drawing. You would need a managed/smart switch and then create your vlan interfaces on pfsense Lan interface (connected to your switch)
With tagging of your 12, 25 and 64 vlans on the port connected to your AP and your port connected to pfsense.
If you do not create vlan ID on your AP, switch and pfsense your just running multiple layer 3 networks on the same layer 2 - which is just plain borked.
Are you leveraging the multiple opt interfaces on your pfsense sg2440?? If so then you would still need to tag the traffic to your AP, and then have multiple ports connected from your switch to the different pfsense interfaces. With those ports pvid set to the specific vlans you want those interfaces on.
-
Thanks Johnpoz…
I have created VLANs in pfsense(LAN is the parent) each with their own IP, I have a managed switch with the VLAN and ports tagged, I also have the Unifi Pro SSIDs setup.
I am using 3 of the 4 opt interfaces on my sg2440(WAN, LAN and one for a dedicated WebGUI port).
Each SSID is getting its own IP on the devices(Not the LAN ip) so everything looks good with AP, Switch and Interfaces...I am also able to get online with each SSID.
All my rules are directed thru a VPN provider with no DNS leaks...I found an old forum post I think you had setup from a few years ago with a WLAN VLAN and LAN configuration(very helpful! Although I can't seem to find it again!). I am hoping I can get help with my 2 questions above.
-
well where are your rules for each interface?
Rules are evaluated on an interface as traffic enters the interface. The only possible source on said interface would be the vlan its on.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
Your top rule there blocking access to rfc1918 networks via an alias.. How would anything work with that rule? Your lan would be rfc1918, etc. What do you have in that alias?
How would your sa, se and vm vlan nets ever be a source of traffic on your lan?
So example here are my rules on my dmz segment.
So I alow ping for ipv4 and ipv6
I then allow dns to pfsense dmz interface both ipv4 and ipv6 udp and tcp
I then block any an all access to any other IP on the firewall - be it another network/vlan/wan IP, etc..
I then allow any access as long as NOT (!) going to rfc1918 address 10.x.x.x, 192.168.x.x, 172.16-31.x.x - this allows internet access nothing else. I then do the same thing for the ipv6 networks that I use local. This contains my /48 network I get from HE.. So this allows to go anywhere ipv6 other than my local networks.Hope that helps.
-
Thanks for the screen shot…I think your WLAN was configured similiarly...I used that to model my VLANs. I have attached a screen shot of one of my VLANs(They are all configured the same except for the "Address" and "Net" related to the rules on thief specific VLAN interface.)
I have also attached a copy of my RFC1918 alias. Attached is also another image of my LAN.
While my config. is different to yours(I don't have a DMZ, nor do I allow access to IPv6, VPN Gateway on mine, nor do I have a ping...still learning that), I modeled it almost the same.
I played around with my RFC1918 rule to see if I could block access in order to trouble shoot why my setup was working and the only difference is that I was unable to change the Gateway to my PIA_VPN on that rule, the only gateway was defaul(WAN). When I set up my VPN, I followed the VPN Hangout video and the PIA instructions however I also deleted all my NAT rules associated with anything WAN, except for my APLAN(Apple TV) which I need to go thru WAN. Might that be why my setup is working with the rfc1918 rule which is only available with "default" gateway? Great now I am more concerned my interfaces aren't segmented... :o
Thought?
![RFC1918 Alias.png](/public/imported_attachments/1/RFC1918 Alias.png)
![RFC1918 Alias.png_thumb](/public/imported_attachments/1/RFC1918 Alias.png_thumb)
-
Again your rules make no sense.. How exactly would your sevlan or savlan or vmvlan be source to inbound traffic to your lan??? Never going to happen!!
Rules are evaluated as traffic enters a interface!!!
According to your top rule on your lan - You could go nowhere on your network, you can not even ask pfsense for dns… What is the point of blocking all the other nets after you just blocked going to rfc1918 space..
You allow traffic out to your vpn.. Any Any rule.. Then you allow 53.. When would that rule ever be evaluated?? The rule above it is any any!!
You have rules blocking all your nets, then you block all them with a rfc1918 alias.. So what is the point? You have on your sevlan net a rule that blocks going to sevlan??
I don't think your actually grasping how the rules work..
-
Johnpoz would you be willing to share screen shots of your LAN and WLAN interface rules again? Also do I need a DMZ for my configuration? Again sorry for the rookie questions but I do just want to make my config is secure and that I learn how to use pfsense, how rules interact with each other and how interfaces work with each other…you pfSense Jedi!
Thank again,,
Grasshopper -
Sure…
Lan is pretty much default.. I let it do whatever it wants..
The wlan network is only for devices that auth with eap-tls, these are MY devices only ipad, phone, laptop, etc..
So first 2 rules allow ping to pfsense address on that wlan
3rd rule allows my ipad and iphone to do whatever they want to anywhere.
4th rule allows access to my plex server that sits on my lan network.
Next rule allows access to my ntp servers that that site on my dmz segment, and really to go to ntp anywhere.
I then allow access to pfsense for dns
I then allow my AP (3 of them) to ask pfsense for radius via the freeradius package running there.
I then allow my AP to send syslog to a syslog server running on my lan
I then block any and all access to any other firewall IP or port.
I then allow wlan any access into the dmz segment.. Keep in mind a dmz is nothing really special - its just another firewalled segment. I just call it that because I do allow inbound traffic into that dmz via the internet.
I then log any and all traffic my AP my do to the internet.
I then let anything else in the wlan net to go to the internet but no where else on my network via the any any rules for ipv4 and ipv6
-
I modified my rules to emulate how your DMZ is configured(I am going to go back and study your WLAN more but seems similar)…I have attached a screen shot with some changes I made in an attempt to “Harden” my configuration.
Some notes:
1. I plan to add the ICMP rule next as I think this will help with trouble shooting and functionaility…more to learn
2. All my VLAN now follow the same rule logic as yours. With the Apple Interface I need to use the WAN(doesn’t work with VPN), I have different static IP device aliases for each VLAN and I limited port access to ports 80 and 443 only via a port alias.
3. In NAT I deleted all my duplicate interface rules that reference WAN that I setup when when I added my VPN provider, except for my Apple interface…which includes Netflix, that doesn’t work with VPN. Not sure if the logic is sound but it seemed so..
4. I deleted all my LAN rules…need to relook at that interface
5. DNS leak test shows “No Leaks” on my VLANs
6. IP for VLAN interfaces indicates the VPN IPI am still concerned why my RFC1918 didn’t block? It did block when I rewrote the rule(vs modify an existing rule)….not sure if there is a best practice about rewriting vs modifying rules over time or this was my human error???
Regardless Johnpoz Thank you thank you thank you!!
I have attached screen shots of my VLAN and NAT rules for any newbies trying to do the same…not saying its right but it is a start.
I am now lulled into a better sense of online and network security…all is good! ….NOT more work to do!
Anybody feel free to comment if my rules seem "borked" (to quote a Jedi)! I don't want to leave any newbie brothers and sisters hanging…
pfSense rocks! Thank you Johnpoz…
![modified VLAN rules.png](/public/imported_attachments/1/modified VLAN rules.png)
![modified VLAN rules.png_thumb](/public/imported_attachments/1/modified VLAN rules.png_thumb)
![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb) -
Dude you can not set a gateway to go out your vpn to talk to the sevlan address for dns..
Where are you nats for the rest of your networks??
-
Thanks for that follow up…
I have attached screen shots of my "Manual Outbound NAT rule generation" configuration, I referenced the VPN provider guide(which indicated duplicating each rule). The pfSense Hangout video however indicated the "Hybrid" approach as an alternative. Should I "turn on" any of these rules I turned off?
Thanks again...
(I am not sure what I should or shouldn't share in terms of my IPs on the forum so I blocked them all. Also I have no entries in "Port Forward", "1:1" or the "NPt" tabs.)
![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)
![Outbound NAT cont..png](/public/imported_attachments/1/Outbound NAT cont..png)
![Outbound NAT cont..png_thumb](/public/imported_attachments/1/Outbound NAT cont..png_thumb) -
Dude how can I help you if your going to hide rfc1918 address space??
I have no idea what guide your using for your vpn service.. But there is zero reason to have to do all that..
Here is my outbound nat rules.. See the 1 rule that is created that allows me to send my 192.168.3 network out the vpn if I so desire.
-
Thanks Johnpoz…
I have attached my NAT screen shots...I have seen others on the forum "obscure IPs" so I was just following suite. I am too green to know what can be leveraged and what can't...
I see you used the "hybrid"...I used the "manual" guide provided by PIA.
Thanks again for the help...definitely willing to make the changes needed.
Update
Here is the link:
https://www.privateinternetaccess.com/pages/client-support/pfsense![NAT Outbound.png](/public/imported_attachments/1/NAT Outbound.png)
![NAT Outbound.png_thumb](/public/imported_attachments/1/NAT Outbound.png_thumb)
![NAT Outbound contd..png](/public/imported_attachments/1/NAT Outbound contd..png)
![NAT Outbound contd..png_thumb](/public/imported_attachments/1/NAT Outbound contd..png_thumb) -
"I have seen others on the forum "obscure IPs"
Sure if its a public, or global IPv6 sure.. But rfc1918 would be like telling me your house is blue, and thinking I could track you down from that ;) There is ZERO reason to try and obscure those..
"I see you used the "hybrid"…I used the "manual" guide provided by PIA."
and pointless!! And even if you were going to do it manual.. Why would you create individual rules for each network using the same interface? You can combine those into 1 rule, or for that matter combine your source network via 1 cidr like 192.168.0.0/16 so you only have 1 rule.
Thought your whole point to this thread was to reduce your rules ;) Not make multiple pages of outbound nats ;) hehehe
-
Definitely want to keep my rules manageable…
I'll go back to my NAT and go back to the Hang out videos(well worth the gold member ship...well worth the $99 membership) and change this to a "hybrid" vs "Manual".
With my current config. should I just change the "DNS rules" to the WAN gateway in all my VLAN interfaces? update added I would think a DNS request via a VPN is more private?
I have learned a lot from this thread, although I also have more questions! All good!
Thanks again for your help...unfortunately I can't upload you a beer but thanks again!
-
well your rules once you change the gateway on the allow to 53, this will allow what is in your alias to access pfsense dns.
Then block all other access to pfsense any IP or port.
The allow stuff in your alias to access tcp 80/443 only through your vpn. -
Wow!
Talk about reducing "rule bloat"! Managed to reduce all my rules…
Notes:
- Reduced my Outbound NAT rules from 28 to 1
- Reduced my Interface rules from 11 per interface to 3
- DNS Leak test (DNSleaktest.com) still shows no leaks…not sure what that is worth!
- update Not sure if I can quantify this but I have never seen my CPU usage so low!
I have attached screen shots of my new VLAN rules…
Thank you Johnpoz…your a good person! I want to test this more but I think I can take this security now to another level.
(All - Support the cause and become a Gold Member! Again well worth the $99!!!)
![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
![Updated VLAN rules.png](/public/imported_attachments/1/Updated VLAN rules.png)
![Updated VLAN rules.png_thumb](/public/imported_attachments/1/Updated VLAN rules.png_thumb) -
So do you have pfsense forwarding for dns? If your clients are asking the resolver for dns, and its actually resolving. Your IP is going to show up in dnsleaks because your actually resolving so the queries for dns to the authoritative servers will come from your IP.
dns leaks is just the new hype word to scare the kids that don't really have a clue..
-
I am currently using the default DNS Resolver(Services->DNS Resolver->General Settings) as follows:
- Network Interfaces set to “ALL”
- Outgoing Network Interfaces set to “Open VPN” ONLY
My “DNS Server” field in DHCP Servers(Services->DHCP Server->”Each Interface”):
- All are empty except my Apple TV VLAN which still shows OpenDNS IPs
My DNS Server field in General setup (System->General Setup) are all blank.
My next goal was to dive into pfBlockerNG to see if I can get some additional security benefits. I have a few key “Add-ons” in my Firefox browser which seem to provide similar functionality…was hoping to check this out more. I tried a few DNS leak tests but I agree it didn't seem overly assuring…
-
"* Outgoing Network Interfaces set to “Open VPN” ONLY"
Ah - yeah this would send all your dns queries to the authoritative servers via your vpn connection. So yeah it would show that IP as the dns server.