Permit traffic from OPT1 net to WAN net - WAN net in rule not working

lotus49

I have three interfaces on my pfsense firewall, WAN, LAN and OPT1.  OPT1 is my DMZ.

I want to permit traffic from the DMZ to the WAN but not to the LAN.  When I created a rule under the OPT1 tab, specifying WAN net as the destination doesn't work (traffic is blocked both to the LAN and the WAN) whereas if I use ! LAN net instead, I get the desired behaviour.

As things stand, I have the result I want but if I were to add another interface then ! LAN net would not be the same as WAN net as traffic would also be passed to the new interface.  I am unlikely to do this but I clearly don't understand something and I would like to.

The working rule (dumped using pfctl -sa) is:

pass in quick on em2 inet from 192.168.2.0/24 to ! 192.168.1.0/24 flags S/SA keep state label "USER_RULE: Pass traffic from orange but not to green"

The defective rule is:
pass in quick on em2 inet from 192.168.2.0/24 to mm.nn.116.0/24 flags S/SA keep state label "USER_RULE: Pass traffic from orange but not to green".

Please can anyone suggest what I am doing wrong.  I appreciate I may not have provided all the information you need but I wasn't sure what else was relevant.

vindenesen

Hi lotus49,

The way I did it, was to create an alias containing all my local subnets.

Picture this:
WAN: DHCP or static
LAN: 172.30.1.0/24
OPT1: 172.30.2.0/24
OPT2: 172.30.3.0/24

Then create an alias containing all three networks, name it something like "Local_networks". You should also add your WAN IP address to this alias to prevent access to the management interface on WAN. If you have a dynamic address, I solved this by using dynamic DNS, and entering the DNS-name inside the alias.

You would then on the OPT1 interface create a rule that allows all traffic NOT destined for "Local_networks".
So if you later add another interface, just add its subnet to the "Local_networks" alias.

Edit: Typo

lotus49

That is a neater approach than the one I currently have but I still don't understand why I cannot just specify WAN net as the destination rather than saying which networks I  don't want to send the traffic to.

cmb

"WAN net" is the local subnet of the WAN interface, not the entire Internet.

nwebber

Similar situation with several local LANs. What I did for the LAN that should be restricted to "outgoing only" was add a rule explicitly blocking the entire CIDR range of my local subnets. So if you are using 192.168.x.x then block 192.168.0.0/16. (Note that of course this doesn't block access within the restricted LAN itself as those packets never hit the router in the first place).

The ALIAS method also works but this seemed more robust to me. If you need to punch selective holes in this block rule you can do that too obviously with explicit pass rules ahead of it.

lotus49

@cmb:

"WAN net" is the local subnet of the WAN interface, not the entire Internet.

Thank you all for your replies but this is the one that really answered my question.  I had wrongly assumed that packets passed to the WAN interface would be routed out to the internet.

Trying my WAN net rule again, I could ping the IP address of the WAN interface and its gateway but nothing more, which explains the behaviour I am seeing.

If I ever add another interface to my firewall, I shall have to revisit this subject but, at the moment, the three interfaces I have are sufficient so it's not an issue for me.