Invert match doesn't work

Qinn

@johnpoz:

"Is your wan public or rfc1918?" could you explain a bit more?"

Huh?  How is it you just created a alias for rfc1918 space but you do not know what it is?

Well I know what RFC1918 means (private subnets), but I don't understand that a WAN could be part of that? To my best of my knowledge, WAN always means not private subnet. So I hope you can provide me with an practical example so I can understand it.

I also still don't understand that my xDSL modem has a RFC1980 address and is accessible as it is on the WAN side, but it works.

LAN–--------------WAN---------------xDSLModem (Draytek 130 in PPPoA to PPPoE bridge mode)
192.168.1.x      83.161.x.x          192.168.100.1

Qinn

@Derelict:

That rule will not block access to the internet even if the WAN is RFC1918-addressed. It would block access to the things on WAN net like the ISP gateway in that case.

Hmmm, trying to grasp that one…

bingo600

That rule will only block packets that has a destination matching a RFC1918 address.
The internet is "everything but RFC1918" , so no destination match.

Rules matches an (end) destination.

/Bingo

johnpoz

"WAN always means not private subnet"

Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.

There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat.  Your behind your isp router that does not allow bridge mode and so your behind a double nat.  Pfsense is just a downstream router in a larger network, etc..

My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.

Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your..  Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.

Qinn

@bingo600:

That rule will only block packets that has a destination matching a RFC1918 address.
The internet is "everything but RFC1918" , so no destination match.

Rules matches an (end) destination.

/Bingo

Thanks!

Qinn

@johnpoz:

"WAN always means not private subnet"

Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.

There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat.  Your behind your isp router that does not allow bridge mode and so your behind a double nat.  Pfsense is just a downstream router in a larger network, etc..

My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.

Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your..  Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.

Thanks, for explaining it!

What I also would like to know is, why does anyone who only wants to, lets say guests, give access to the internet, do it like, block everything and as a last rule grant access to everywhere.

Why not, as in pfSense by default everything is blocked (apart from port 67 DHCP), only grant access to the internet?

johnpoz

Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks.. As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

How exactly would you create dest that was "internet"??  It really could be anything.

Qinn

In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.

@johnpoz:

Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

How exactly would you create dest that was "internet"??  It really could be anything.

Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.

GruensFroeschli

@Qinn:

In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.

@johnpoz:

Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

How exactly would you create dest that was "internet"??  It really could be anything.

Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.

The guest net is the network attached to the guest interface.
The WAN net is the network attached to the WAN interface.
–> Not the internet.

Qinn

@GruensFroeschli:

The guest net is the network attached to the guest interface.
The WAN net is the network attached to the WAN interface.
–> Not the internet.

–-> Not the internet :o , do you mean the ISP and where is it (meaning the internet) then connected to?

GruensFroeschli

The internet is mostly the inverse of RFC1918:
All subnets which are not private.
There are some other special cases like RFC3927 (169.254/16)
Take a look at https://en.wikipedia.org/wiki/IPv4#Special-use_addresses.

When you create a rule with as destination "WAN net" then it means exactly that:
The network between you and your ISP.
Generally not what you want.

When you mean "the internet", you usually mean "any".

kpa

The WAN network is the directly connected network segment that is reachable from the WAN interface via ARP (hosts that are in the same broadcast domain talk to each other with the assistance of ARP), that's the simplest way to put it. In other words connections to that network segment from the WAN interface on pfSense can be done without the assistance of the gateway (the default gateway of pfSense) on the WAN network.

You have to grasp what a connection means in internet terms. It's simply one or more IP packets sent from sending host to a destination address and the destination address in the IP packets (also source address if desired) is what pfSense uses for filtering. What is used as the transport (routers etc.) between the sending host and the destination address doesn't matter for the firewall rules, that information is not available for filtering on pfSense, all filtering is done based on the information available in the IP headers of the IP packets flowing trough the filtering engine.

Qinn

Aha, thanks to you both for explaining that to me, the concept WAN not being Internet was never clear to me.

Qinn

Back on topic, I still don't understand what is wrong (as I can't believe inverted rule are broken).
I added my rule set on the WLAN interface and have logging enabled first with the inverted rule enabled and the log file that confirms a user passing from WLAN to LAN (192.168.5.46 to 192.168.1.1), which I do not understand and to the best of my knowledge should be possible with the inverted rule enabled.
Then just as a check I disable the inverted rule and as you can see access to the LAN is blocked?

Again thanks for any help advise on this,

Cheers Qinn


Derelict

OK do this.

Replace that ! rule on WLAN with two rules:

One that blocks traffic from WLAN Net to LAN net

Followed by:

One that passes traffic from LAN WLAN net to any.

Does it work now?

Qinn

@Derelict:

OK do this.

Replace that ! rule on WLAN with two rules:

One that blocks traffic from WLAN Net to LAN net

Followed by:

One that passes traffic from LAN net to any.

Does it work now?

I think that were you wrote the pass from LAN, you meant it WLAN instead…
Well I did that any it works as it should, reading from the logs. To the best of my knowledge you replaced the inverted rule by 2 seperate rules and this works  :o


johnpoz

What is the actual lan net?  Lets see how you have that setup.. And what is the actual address of lan?

Please post all you rules with this command.

https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

So you have any vips setup?

Qinn

Thanks johnpoz, I will report back asap (later this evening).

johnpoz

Here.. My wlan is secured wifi network.  With a few wired hosts on it.. To get on the wireless you have to have a cert it uses eap-tls to auth.  Anyhow - so its a trusted network and I allow it do anything it wants so any any rule.

So the wlan network is 192.168.2/24 with pfsense being 192.168.2.253
Lan is 192.168.9/24 with pfsense having 192.168.9.253

So on a client on the wlan network you can see 192.168.2.11, with first set of rules I can ping pfsense lan IP at 192.168.9.253

I then change the any any rule to be ! lan net, as you can then see from 2nd ping that I can not get there with 11 lost packets when I try and ping.  So clearly you got something ODD going on there there.. A listing of your full rules when you have the ! lan net rule in play will help us track down what that oddness is.  Do you have any vips setup on wlan or lan?  Are you doing policy routing anywhere?  Do you have the disable neg rules set in advanced (firewall&nat)

Disable Negate rules
Disable Negate rule on policy routing rules With Multi-WAN it is generally desired to ensure traffic reaches directly connected networks and VPN networks when using policy routing. This can be disabled for special purposes but it requires manually creating rules for these networks.

Derelict

I think that were you wrote the pass from LAN, you meant it WLAN instead…

Yeah sorry.

To the best of my knowledge you replaced the inverted rule by 2 seperate rules and this works  :o

Amazing. Don't "block" traffic with inverted pass rules. Not sure how many times I have to say it. If it saves just one rule set it's worth it.