Print from OPT1 to LAN printer
-
All of those rules between antilock and your rfc1918 are kind of pointless.. Other than just allowing access to pfsense lan address.. I wouldn't write them that way, I would set them to just being the lan address, since your rule below your rfc1918 rule allows all of those anyway to everything else.
And its kind of rare to want to block your lan from talking to your other vlans, normally lan is your most trusted and open network.. While I get block your other vlans from talking to it.. Normally lan is allowed to really go where it wants.
Thought you wanted your lan to able able to talk to opt? Do you just want it to be able to talk to 53,80 and 443 on opt?
-
Ok. I was following the Netgate Doc page https://docs.netgate.com/pfsense/en/latest/config/example-basic-configuration.html under Basic Firewall Configuration Example/ "Setup isolating LAN and DMZ, each with unrestricted internet access" (I am assuming DMZ is OPT1?). I do want the LAN to be able to access anything on OPT1. Which rule is blocking that? Or is it an ALLOW rule that needs to be added?
-
The rule that rejects all rfc1918 (I assume you created an alias with all the rfc1918 networks in it) would block access to your opt network, which I assume is rfc1918 ;)
So as the rules are currently written you would only be able to access ports 53,80 and 443 on opt network, since right under that you block all access to any rfc1918 address.
-
Ok got it. I thought maybe I was misunderstanding what the rule was for, because it did look to me like it was blocking LAN from seeing OPT1, but the Netgate docs said to add that rule....I just removed it.
-
With that rule removed, then all your other rules are pointless between the anti lockout and your any any. So why have them if they don't do anything?
To work out what rules you need, just come up with your traffic pattern.
say 10.10.10.X wanting to talk to IP:port
Now walk down your rules - is it allowed, or blocked? In your case the last rule would allow it, and no other rule above that would block it - so its allowed.
-
Ok so the rules filter DOWN...as in, if the bottom rule allows EVERYTHING, then that overrides any rules above it that allow or deny anything? So If I did want to block something, then I need to have the Allow any/any as the very top rule (under the anti-lockout)?
-
@johnpoz said in Print from OPT1 to LAN printer:
Rules are evaluated top down, as traffic enters an interface, first rule to match wins, no other rules evaluated.
Yup.. as I already stated ;) and is in the docs on how rules are evaluated, etc.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.htmlSo If I did want to block something, then I need to have the Allow any/any as the very top rule (under the anti-lockout)?
Not always.. Maybe you want to log something specific, say you wanted to log when something on the lan accesses your plex server sitting on opt.. Then you could put a rule above the any any that logs that specific traffic.
Or maybe you want to policy route some specific traffic out a specific gateway, which again you would put above your any any, etc. Or maybe you wanted to mark some specific traffic, or maybe you wanted to redirect something.. There are more things to do with rules then just allow or block.
-
But if I put the Allow any any above any blocking rules, then wouldn't the firewall see that I have allowed anything and not go any further?
-
This post is deleted! -
Yes.. I never said anything about putting block rules below your any.. Block rules would need to be above a rule that allows any..
-
@johnpoz said in Print from OPT1 to LAN printer:
In your case the last rule would allow it, and no other rule above that would block it - so its allowed.
This is what confused me. I see that and think that because the any any is on the bottow, everything above it is ignored..
-
You didn't have any block rules - you only had allow rules!!
Dude... This is not difficult... Come up with your traffic pattern that you want to do something with.. Now walk down your rules top to bottom.. What rule triggers? On that traffic pattern - that is what happens... Once you hit a rule that matches, stop looking at any othe rules.
If you get to the bottm and and no rules match, then it would be blocked! Default Deny, if rule does not allow it.
-
Got it. So should the LAN have any blocking on it at all? Or just basically have the anti-lockout, and the allow any/any. (I am talking about my network only, where I want the LAN to be able to access anything on OPT1, and the internet..and anything on OPT1 to access the internet, but only the printer on LAN)
-
@5cub4f1y said in Print from OPT1 to LAN printer:
Got it. So should the LAN have any blocking on it at all? Or just basically have the anti-lockout, and the allow any/any
Depends - do you want to block your lan from doing anything? Here are my lan rules
I split the IPv4 and IPv6 because sometimes I might block IPv6, etc.
-
No. Not that I can think of. Since I control all the devices on LAN (patch managment, security updates etc...) I am not as worried about vulnerabilities as I am with everything else on OPT1
-
If you have questions if your rules will do what you want.. Just come up with the example traffic pattern of what you want to do something with, and just walk down the rules to see what will happen.
-
@johnpoz Ah thank you. Thats what I now have.
-
@5cub4f1y said in Print from OPT1 to LAN printer:
@johnpoz Ah thank you. Thats what I now have.
Let's see, let's see!
-
LAN
OPT1 I'm still figuring out, following the logic to see if these rules will do what I want them to do. Which is essentially NOT allowing OPT1 to access anything on LAN, except the printer. Still looks like this...
-
@5cub4f1y Yep, those rules look good. You might need a port number on rule number 3 on your OPT1 network, but probably not. Can you print something thru this rule, does it work?
Jeff
