Firewall directions
-
1 right
2 right, on the wan interface it's a hidden rule
3 yes
4 firewall WAN interface / Firewall - NAT - Port Forward -
@kiokoman Thank you for your patience, now it's fully understood. Very nice and self explanatory drawing haha.
Still...One or maybe few more things if you may :)-
Besides port forwarding which is very known, other reasons for allowing WAN to LAN would be having behind the pfSense firewall things like: Public server, Plex/Media server etc. ?
-
The only difference between LAN and other interfaces is that pfSense automatically adds the "LAN to any" rule, right?
-
In order to achieve isolated Interfaces/VLANS that has only Internet access but nothing else, I could create the rules you've posted above - Allowing IPv4 TCP from LAN net, but blocking all other IPv4*...right?
-
If I'm correct on 3 (above) then what rule should I add to allow all the interfaces to connect to an OpenVPN server on UDP? The same rule just UDP instead of TCP or maybe even add Alias of the VPN servers?
Thank you,
-
-
Besides port forwarding which is very known, other reasons for allowing WAN to LAN would be having behind the pfSense firewall things like: Public server, Plex/Media server etc. ?
Or having an additional interface like a DMZ that hosts servers/services to be exposed to the internet.
@techtester-m said in Firewall directions:
The only difference between LAN and other interfaces is that pfSense automatically adds the "LAN to any" rule, right?
Not exactly. LAN is special in having the default LAN any-any allow rule (to make it simply work "out of the box") AND having the possibility for an anti-lockout rule that also is special to LAN only. To disable that you've got to remove the checkbox under advanced settings as it's an otherwise non-deletable rule that simply allows access from LAN to pfSense web - and if you enable ssh - port(s).
In order to achieve isolated Interfaces/VLANS that has only Internet access but nothing else, I could create the rules you've posted above - Allowing IPv4 TCP from LAN net, but blocking all other IPv4*...right?
Nah. To achieve that, you'd have to to like 3-4 rules. As an example let's create a "guest" network on OPT1, so you'd have to do
-
allow DNS/NTP from opt1_net (or guest_net whatever you called it) to connect to pfSense (to use ntpd or DNS resolver/forwarder)
-> allow udp/53 from opt1_net to opt1_addresss -
create an Alias like "RFC1918" or "private networks" and add all RFC1918 private networks to it: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
-
deny all clients on OPT to access any other private network (potential other LANs you create within a private network range)
-> reject any from opt1_net to <RFC1918> -
allow any client anything else (-> public internet space).
-> allow any from opt1_net to any
With blocking private IP space before and only allowing DNS/NTP to the firewall your clients on OPT1 get an IP via DHCP, can use DNS resolver and use NTPd for time services and can surf, ping, use the internet at will. Of course you could limit that further by only allowing e.g. tcp/443 instead of any in step 4 but that would be a bit "limited". Other possibilities are using the captive portal or other features ;)
-
-
@JeGr said in Firewall directions:
Nah. To achieve that, you'd have to to like 3-4 rules. As an example let's create a "guest" network on OPT1, so you'd have to do...
That's exactly what I had before but then I saw the example above and got confused...I guess each and his own. There's more than one way to achieve the same.
What about an OpenVPN client with address like: 10.x.x.x? This would just be the gateway and won't be affected these rules, right?
Thank you very much for the your help!
-
if you configure openvpn on the firewall you will find yourself with a new OpenVPN tab
where you will enter the rules following the same principle -
@kiokoman said in Firewall directions:
if you configure openvpn on the firewall you will find yourself with a new OpenVPN tab
where you will enter the rules following the same principleI've been using multiple OpenVPN servers for months now and never added any rule to their tabs, but I was connected through the LAN which has the default allow LAN to any rule. With the other Interfaces/VLANs, wouldn't I need to add rules under their tab only? Why to even touch the OpenVPN tab?
-
did you configure the openvpn on pfsense or under some pc/server you have on your lan ?
-
I configured an OpenVPN client on pfSense. In this case NordVPN.
I think I'll just create the rules I want and post a screenshot here. Then we'll proceed.
Thanks man,
-
then a client is not a server
as we said before you are able to enter that interface because the default rule for LAN interface is to allow all
the OpenVPN tab for you is like another WAN
openvpn is another monster that have different implementation -
Yeah...My bad. When I wrote VPN "Servers" I meant my OpenVPN clients, which in turn connect to an actual VPN server haha.
@kiokoman said in Firewall directions:
you are able to enter that interface because the default rule for LAN interface is to allow all
And what about allowing all the VLANs to use the OpenVPN client as well? Their RFC1918/IPv4* blocking rule won't affect it? The local virtual addressed of these VPNs are 10.x.x.x which fall under RFC1918......I thought I understand pfSense and firewall and everything is actually working, but the deeper I dig I get a headache LOL...
-
of course, if you want another interface to be able to use the vpn interface you need to create a rule that permit that.
RFC1918/IPv4* blocking rule inside an interface like OPT1/OPT2 etc will prevent it but you just need a previus rule like
"permit OPT1 net destinatio OpenVPN" before "block OPT1 net destination RFC1918". first rule win ! -
@kiokoman That's what I thought. Thanks a bunch!
-
@JeGr said in Firewall directions:
allow DNS/NTP from opt1_net
It's either or? Or should I allow both of them UDP/53, UDP/123?
-
i think it was just an example,
port 53 is for DNS (domain name system) pretty much mandatory if you want to resolv dns and surf the web
port 123 is for NTP (Network time protocol) useful but not mandatory, it's needed to sync the clock
that said the minimum port to be able to surf the web are udp/tcp 53 for dns tcp 80 for http and tcp 443 for https -
What about the VPN Group shown in the screenshot? I think that adding "Allow PCS_VLAN to OpenVPN(1194)" won't be enough, since the VPN clients' gateways are in the range of RFC1918 - 10.x.x.x.
What rule(s) exactly should I add in order for this VLAN to be: isolated from other interfaces, have internet access and connect to the internet via the VPN_Group (NO_WAN_EGRESS)?
-
that rule probably won't work,
you just need to put it before the block -
@kiokoman said in Firewall directions:
you just need to put it before the block
Put what rule? I'm already confused here man...you'd have to be more specific. Sorry :)
-
bs
-
@kiokoman I thought that's what you meant but wouldn't that make the blocking rule useless, since we allow everything else here? See @JeGr answer above. Or perhaps that's not the case because it's setup to use the VPN gateway instead of the default one?
The more I ask, the more I get confused which has never happened to me before in my life LOL...gotta read the pfSense book a little, when having the chance haha...
-
after 9 hours of work you should understand that my brain is telling me bs now
you are right i make a mistake, i was not seeing the tab and i was confusedbut you probably need a new rule that permit traffic from PCS_VLAN net with destinaton OpenVPN net before the block
but right now, i confess i'm tired, maybe try and tell us if it work or not