Deny access to other subnets, but allow access to services available on the wan

pox

I have 2 vlans and a wan configured on a pfsense router.

On vlan.100 (2001:2000:9000:100::/64) there is a web server (2001:2000:9000:100::1) that exposes his services on port 443, and a mail server that exposes smtp on port 25, and some other services like a database, a redis server, and so on.
On the wan interface there is a firewall rule that allows access from wan to port 443 on the server on vlan.100 (allow port 443 on 2001:2000:9000:100::1). But port 25 and all other services should be accessible only from clients that are inside the lan.

On the other hand, I have vlan.200 (2001:2000:9000:200::/64). Clients on vlan.200 should not be able to access services on lans other that vlan.200. So I created a rule that blocks access from vlan.200 to other internal lans (deny 2001:2000:9000::/48). But this blocks access to port 443 on the server on vlan.100 2001:2000:9000:100::1.
If the server is reachable from the internet, it should also be reachable from the vlan.200.

How do I go about allowing access from local lans to services that are allowed from the internet, without having to permit them all manually?

johnpoz

Just allow the ports you want to allow, ie 443 to the specific server IP or whole subnet if you want.

Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.

So if you want to allow to 443, put that rule above where you block access to that vlan/subnet/prefix

pox

@johnpoz:

Just allow the ports you want to allow, ie 443 to the specific server IP or whole subnet if you want.

Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.

So if you want to allow to 443, put that rule above where you block access to that vlan/subnet/prefix

But say I have like 20 allow rules for services I expose on the wan interface. Do I have to repeat them on all vlans?
Is there nothing I can to to do this automatically? Something like tell pfsense "If it is allow on wan, it should be allow on all interfaces?"

johnpoz

You could setup rules in floating.. where you can pick the interfaces the rule would be applied on..  So sure you could pick your 20 vlans there And allow traffic to that dest vlan on the ports you want.  If you have multiple ports you put them in an alias.

pox

@johnpoz:

You could setup rules in floating.. where you can pick the interfaces the rule would be applied on..  So sure you could pick your 20 vlans there And allow traffic to that dest vlan on the ports you want.  If you have multiple ports you put them in an alias.

cool. I never used floating rules. will try.

johnpoz

I personally would just put the rules directly on the interfaces in question.  This allows for differences, and easier to troubleshoot and understand the rules..

Do you really have 20+ vlans or where you just using that as an example how to do it on multiple vlans.

How many interfaces do you have these vlans spread across on pfsense.  Is there a lot of intervlan traffic - any vlan that talks to another vlan on the same physical interface is a hairpin, and your total amount of traffic possible between vlans would be limited by the total bandwidth available on physical interface.

This can become a real bottleneck when you have lots of clients in lots of vlans all sharing single physical interface..

pox

@johnpoz:

I personally would just put the rules directly on the interfaces in question.  This allows for differences, and easier to troubleshoot and understand the rules..

Do you really have 20+ vlans or where you just using that as an example how to do it on multiple vlans.

Thanks for the insights. No, I have 4 vlans, but I'd like this to work out of the box: so that when I open up a service to the internet, it is accessible on all vlans as well, without having to remember to add the allow rule on all 4 interfaces + wan.
It makes no sense to block traffic to a service that is accessible on the internet to a client that is inside a lan segment that does not have access to local services.

@johnpoz:

How many interfaces do you have these vlans spread across on pfsense.  Is there a lot of intervlan traffic - any vlan that talks to another vlan on the same physical interface is a hairpin, and your total amount of traffic possible between vlans would be limited by the total bandwidth available on physical interface.

This can become a real bottleneck when you have lots of clients in lots of vlans all sharing single physical interface..

I tried the floating rule approach, and marking them as "quick" works quite well for now. I will monitor the performance of the network and see if problems arise.

johnpoz

Yeah 4 vlans - I would put the rules directly on them… Takes all of 30 seconds to do that..

Floating rules can be very confusing to new users.. Its hard enough to get them to understand order of rules being evaluated, let alone throw in the ability to filter on the outbound of an interface and if they do not set quick they do not understand the flow since floating are evaluated first but if they do not click "quick" they might not work, etc. etc..

Until you move to more advanced sort of rules I really would stay away from the floating tab.. Especially if you only have 4 vlans. If you had 40 or 400 then ok...

pox

@johnpoz:

Yeah 4 vlans - I would put the rules directly on them… Takes all of 30 seconds to do that..

I have 9 services exposed on the internet, and 4 vlans that should be able to access them (but not internal services on other vlans).
9 * 4 rules I'm sure takes more than 30 seconds. but it's not that much for that, because that would be a one time thing, but I would have to add/remove the rule on all 4 interfaces every time something changes. I like to do other, more useful things with my time if I can choose.

@johnpoz:

Floating rules can be very confusing to new users.. Its hard enough to get them to understand order of rules being evaluated, let alone throw in the ability to filter on the outbound of an interface and if they do not set quick they do not understand the flow since floating are evaluated first but if they do not click "quick" they might not work, etc. etc..

Until you move to more advanced sort of rules I really would stay away from the floating tab.. Especially if you only have 4 vlans. If you had 40 or 400 then ok…

Thanks for listing the cons. IMHO for now the pros outweigh the cons. Let's see how it goes.

johnpoz

To the time it takes.. You understand you can copy a rule right, and then just need to change the interface and it moves over to that tab..

So creating your rule once and then copy to multiple vlans only takes a few seconds.  And if you used alias to list your ports for your dest and even your dest IPs.. You just need to modify those and all rules using those would auto get updated..