Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with firewall rules for IOT network

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 792 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danb35
      last edited by

      I'm wanting to set up a separate network for my IoT devices, since security with those is pretty much a dumpster fire and there isn't much I can do about that. I'm trying to follow the general process described in this video, but since he's using an EdgeRouter and I'm (of course) using pfSense, the firewall rules don't translate exactly. However, the configuration described here in the pfSense docs seems to accomplish the same thing. For now, I want devices on this network to have full access to the Internet, but only very limited access to my other LAN resources (and I haven't even gotten to adding those rules yet).

      I've set up the separate IoT VLAN in pfSense, in my Dell managed switches, and in my Unifi network. I can connect wireless clients to that VLAN and they're issued IPs in the appropriate range from the pfSense server; I can plug wired devices into a dedicated port on the switch and they're assigned the same. Devices on that network can ping the gateway, they can resolve hostnames, but they can't reach the outside network--pings time out, as does attempted browsing. Here are the rules I'm using:
      6801012a-fc3c-47f3-be73-a805bcbdffbf-image.png

      Curiously, I can see a few states on the last rule, which would suggest to me that some traffic is getting through--but as far as I can tell, it isn't. What am I missing, or where else should I be looking?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        you sure and the hell do not need that 67 dhcp rule.. When you enable dhcpd on an interface pfsense will auto add the rules needed for dhcpd to run.. They will not be listed in the gui, but they are there.. you can view them with viewing all rules

        https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

        Did you mess with the default outbound nat rules which should be automatic.. If you changed that your going to have issues unless you create the correct outbound rules. Also are you running any sort of vpn client that pulls routes?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • D
          danb35
          last edited by

          @johnpoz said in Trouble with firewall rules for IOT network:

          you sure and the hell do not need that 67 dhcp rule.

          OK, easy enough to delete that.

          Did you mess with the default outbound nat rules which should be automatic.

          I hadn't thought so, but this suggests otherwise:
          5033c0b6-4b82-4a3f-9d93-693ac4239734-image.png

          I am running an IP PBX behind the firewall, which is what the first mapping is for. I couldn't say about the others. The 1.0 network is my primary LAN, while 3.0 is the OpenVPN network. The IoT network is 107.0, and isn't listed there--I'm guessing that's the source of my problem.

          Which would be better: to add a set of rules matching the ones already there for 1.0, or to set the mode to "hybrid" (which I'd guess would generate those rules automatically)?

          Also are you running any sort of vpn client that pulls routes?

          No VPN client on the pfSense box. I run an OpenVPN server for remote access to my network.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @danb35 said in Trouble with firewall rules for IOT network:

            The IoT network is 107.0, and isn't listed there--I'm guessing that's the source of my problem.

            Yup there is almost never a reason to change from auto to manual.. Hybrid sometimes makes sense.. Switch it to auto and you should be fine.

            If you need to do something with your pbx, then just use hybrid and add that rule.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • D
              danb35
              last edited by

              Switch it to auto and you should be fine.

              That's got the IoT network working, thanks--it'll take a little checking to make sure that trunk still works for the PBX, but if not I'll set it to Hybrid and add that rule. Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.