VLAN Rules?
-
Thanks for the screen shot…I think your WLAN was configured similiarly...I used that to model my VLANs. I have attached a screen shot of one of my VLANs(They are all configured the same except for the "Address" and "Net" related to the rules on thief specific VLAN interface.)
I have also attached a copy of my RFC1918 alias. Attached is also another image of my LAN.
While my config. is different to yours(I don't have a DMZ, nor do I allow access to IPv6, VPN Gateway on mine, nor do I have a ping...still learning that), I modeled it almost the same.
I played around with my RFC1918 rule to see if I could block access in order to trouble shoot why my setup was working and the only difference is that I was unable to change the Gateway to my PIA_VPN on that rule, the only gateway was defaul(WAN). When I set up my VPN, I followed the VPN Hangout video and the PIA instructions however I also deleted all my NAT rules associated with anything WAN, except for my APLAN(Apple TV) which I need to go thru WAN. Might that be why my setup is working with the rfc1918 rule which is only available with "default" gateway? Great now I am more concerned my interfaces aren't segmented... :o
Thought?
-
Again your rules make no sense.. How exactly would your sevlan or savlan or vmvlan be source to inbound traffic to your lan??? Never going to happen!!
Rules are evaluated as traffic enters a interface!!!
According to your top rule on your lan - You could go nowhere on your network, you can not even ask pfsense for dns… What is the point of blocking all the other nets after you just blocked going to rfc1918 space..
You allow traffic out to your vpn.. Any Any rule.. Then you allow 53.. When would that rule ever be evaluated?? The rule above it is any any!!
You have rules blocking all your nets, then you block all them with a rfc1918 alias.. So what is the point? You have on your sevlan net a rule that blocks going to sevlan??
I don't think your actually grasping how the rules work..
-
Johnpoz would you be willing to share screen shots of your LAN and WLAN interface rules again? Also do I need a DMZ for my configuration? Again sorry for the rookie questions but I do just want to make my config is secure and that I learn how to use pfsense, how rules interact with each other and how interfaces work with each other…you pfSense Jedi!
Thank again,,
Grasshopper -
Sure…
Lan is pretty much default.. I let it do whatever it wants..
The wlan network is only for devices that auth with eap-tls, these are MY devices only ipad, phone, laptop, etc..
So first 2 rules allow ping to pfsense address on that wlan
3rd rule allows my ipad and iphone to do whatever they want to anywhere.
4th rule allows access to my plex server that sits on my lan network.
Next rule allows access to my ntp servers that that site on my dmz segment, and really to go to ntp anywhere.
I then allow access to pfsense for dns
I then allow my AP (3 of them) to ask pfsense for radius via the freeradius package running there.
I then allow my AP to send syslog to a syslog server running on my lan
I then block any and all access to any other firewall IP or port.
I then allow wlan any access into the dmz segment.. Keep in mind a dmz is nothing really special - its just another firewalled segment. I just call it that because I do allow inbound traffic into that dmz via the internet.
I then log any and all traffic my AP my do to the internet.
I then let anything else in the wlan net to go to the internet but no where else on my network via the any any rules for ipv4 and ipv6
-
I modified my rules to emulate how your DMZ is configured(I am going to go back and study your WLAN more but seems similar)…I have attached a screen shot with some changes I made in an attempt to “Harden” my configuration.
Some notes:
1. I plan to add the ICMP rule next as I think this will help with trouble shooting and functionaility…more to learn
2. All my VLAN now follow the same rule logic as yours. With the Apple Interface I need to use the WAN(doesn’t work with VPN), I have different static IP device aliases for each VLAN and I limited port access to ports 80 and 443 only via a port alias.
3. In NAT I deleted all my duplicate interface rules that reference WAN that I setup when when I added my VPN provider, except for my Apple interface…which includes Netflix, that doesn’t work with VPN. Not sure if the logic is sound but it seemed so..
4. I deleted all my LAN rules…need to relook at that interface
5. DNS leak test shows “No Leaks” on my VLANs
6. IP for VLAN interfaces indicates the VPN IPI am still concerned why my RFC1918 didn’t block? It did block when I rewrote the rule(vs modify an existing rule)….not sure if there is a best practice about rewriting vs modifying rules over time or this was my human error???
Regardless Johnpoz Thank you thank you thank you!!
I have attached screen shots of my VLAN and NAT rules for any newbies trying to do the same…not saying its right but it is a start.
I am now lulled into a better sense of online and network security…all is good! ….NOT more work to do!
Anybody feel free to comment if my rules seem "borked" (to quote a Jedi)! I don't want to leave any newbie brothers and sisters hanging…
pfSense rocks! Thank you Johnpoz…
 -
Dude you can not set a gateway to go out your vpn to talk to the sevlan address for dns..
Where are you nats for the rest of your networks??
-
Thanks for that follow up…
I have attached screen shots of my "Manual Outbound NAT rule generation" configuration, I referenced the VPN provider guide(which indicated duplicating each rule). The pfSense Hangout video however indicated the "Hybrid" approach as an alternative. Should I "turn on" any of these rules I turned off?
Thanks again...
(I am not sure what I should or shouldn't share in terms of my IPs on the forum so I blocked them all. Also I have no entries in "Port Forward", "1:1" or the "NPt" tabs.)
 -
Dude how can I help you if your going to hide rfc1918 address space??
I have no idea what guide your using for your vpn service.. But there is zero reason to have to do all that..
Here is my outbound nat rules.. See the 1 rule that is created that allows me to send my 192.168.3 network out the vpn if I so desire.
-
Thanks Johnpoz…
I have attached my NAT screen shots...I have seen others on the forum "obscure IPs" so I was just following suite. I am too green to know what can be leveraged and what can't...
I see you used the "hybrid"...I used the "manual" guide provided by PIA.
Thanks again for the help...definitely willing to make the changes needed.
Update
Here is the link:
https://www.privateinternetaccess.com/pages/client-support/pfsense
 -
"I have seen others on the forum "obscure IPs"
Sure if its a public, or global IPv6 sure.. But rfc1918 would be like telling me your house is blue, and thinking I could track you down from that ;) There is ZERO reason to try and obscure those..
"I see you used the "hybrid"…I used the "manual" guide provided by PIA."
and pointless!! And even if you were going to do it manual.. Why would you create individual rules for each network using the same interface? You can combine those into 1 rule, or for that matter combine your source network via 1 cidr like 192.168.0.0/16 so you only have 1 rule.
Thought your whole point to this thread was to reduce your rules ;) Not make multiple pages of outbound nats ;) hehehe
-
Definitely want to keep my rules manageable…
I'll go back to my NAT and go back to the Hang out videos(well worth the gold member ship...well worth the $99 membership) and change this to a "hybrid" vs "Manual".
With my current config. should I just change the "DNS rules" to the WAN gateway in all my VLAN interfaces? update added I would think a DNS request via a VPN is more private?
I have learned a lot from this thread, although I also have more questions! All good!
Thanks again for your help...unfortunately I can't upload you a beer but thanks again!
-
well your rules once you change the gateway on the allow to 53, this will allow what is in your alias to access pfsense dns.
Then block all other access to pfsense any IP or port.
The allow stuff in your alias to access tcp 80/443 only through your vpn. -
Wow!
Talk about reducing "rule bloat"! Managed to reduce all my rules…
Notes:
- Reduced my Outbound NAT rules from 28 to 1
- Reduced my Interface rules from 11 per interface to 3
- DNS Leak test (DNSleaktest.com) still shows no leaks…not sure what that is worth!
- update Not sure if I can quantify this but I have never seen my CPU usage so low!
I have attached screen shots of my new VLAN rules…
Thank you Johnpoz…your a good person! I want to test this more but I think I can take this security now to another level.
(All - Support the cause and become a Gold Member! Again well worth the $99!!!)
 -
So do you have pfsense forwarding for dns? If your clients are asking the resolver for dns, and its actually resolving. Your IP is going to show up in dnsleaks because your actually resolving so the queries for dns to the authoritative servers will come from your IP.
dns leaks is just the new hype word to scare the kids that don't really have a clue..
-
I am currently using the default DNS Resolver(Services->DNS Resolver->General Settings) as follows:
- Network Interfaces set to “ALL”
- Outgoing Network Interfaces set to “Open VPN” ONLY
My “DNS Server” field in DHCP Servers(Services->DHCP Server->”Each Interface”):
- All are empty except my Apple TV VLAN which still shows OpenDNS IPs
My DNS Server field in General setup (System->General Setup) are all blank.
My next goal was to dive into pfBlockerNG to see if I can get some additional security benefits. I have a few key “Add-ons” in my Firefox browser which seem to provide similar functionality…was hoping to check this out more. I tried a few DNS leak tests but I agree it didn't seem overly assuring…
-
"* Outgoing Network Interfaces set to “Open VPN” ONLY"
Ah - yeah this would send all your dns queries to the authoritative servers via your vpn connection. So yeah it would show that IP as the dns server.
-
Thanks again Johnpoz!
