Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best practice to block traffic between local interfaces

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 485 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ Offline
      junicast
      last edited by junicast

      Hi,

      we have a Fortigate Firewall we will be replacing with pfSense 2.4.4.
      The system will have plenty of local networks seperated via VLAN tagging.
      Some of those local interfaces shall get access to the Internet, too.
      By placing a rule that allows traffic to the Internet, traffic to all the other local nets is also permitted, right?

      We do not only use IPv4 but also IPv6 so every local net has RFC1918 addresses but also a public IPv6 prefix.

      What is the best practice for firewall rules for interfaces that need access to the Internet but shall not route between the local nets? I don't want rules like that, because that would mean too much work
      netA -> netB block
      netA -> netC block
      netA -> netD block
      etc.
      <--->
      netB -> netA block
      netB -> netC block
      netB-> netD block
      etc.
      <--->
      etc.
      Wouldn't it be much easier if the default rule that allows access to the Internet would contain a definition about an outgoing interface? In this scenario one would not have to define any extra rule to block traffic between local interfaces.

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad @junicast
        last edited by NogBadTheBad

        @pmisch

        No not everyone wants to block inter subnet traffic.

        Create an alias with all your IPv6 subnets in and also add the rfc1918 subnets.

        Use the alias in a rule to block LAN net to the alias.

        Then create a rule under the above rule to pass LAN net to any.

        If you want any specific subnet to another subnet create a pass rule above the block rule.

        If you had a bunch of interfaces that were internet only you could create an interface group, but check out how the user rule processing works.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        junicastJ 1 Reply Last reply Reply Quote 0
        • junicastJ Offline
          junicast @NogBadTheBad
          last edited by

          @NogBadTheBad said in Best practice to block traffic between local interfaces:

          @pmisch
          No not everyone wants to block inter subnet traffic.

          You could make it optional to choose an outgoing interface. I'm just a bit confused that it's not even possible for a rule to select an outgoing interface. Is there a reason for that?

          Create an alias with all your IPv6 subnets in and also add the rfc1918 subnets.
          Use the alias in a rule to block LAN net to the alias.
          Then create a rule under the above rule to pass LAN net to any.
          If you want any specific subnet to another subnet create a pass rule above the block rule.

          Thank you. That's what I will do.

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN Offline
            NogBadTheBad
            last edited by

            Something like this:-

            Screenshot 2019-11-15 at 10.28.31.png

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.