Restrictive rules on OPT1 with squid on LAN & OPT1

manslipkorn

Hi everybody,

I'm coming here because I've a problem I'm struggling with for few weeks now.

Here is my setup.

My pfsense is installed on a box that has 3 ethernet ports

• WAN = Simply goes to my ISP routeur (setup as DHCP, the IP is given by the routeur)
• LAN = goes to a switch where all my computers are plugged in (setup with static IP 192.168.0.1, and DHCP server giving addresses from 192.168.0.10 to 192.168.0.20)
• WIRELESS = goes to another switch that has access points for wireless devices (setup with static IP 10.0.0.1, and DHCP server giving addresses from 10.0.0.10 to 10.0.0.20)

My goal is to get access to everything from the LAN interface (all my computers), and block as much as I can on the wireless interface as it will be open (so anybody can connect through wireless to access internet).

Also, that pfsense box provides a transparant proxy for LAN & WIRELESS (different rules apply for LAN & WIRELESS with squidguard)

For security reasons, as you can imagine, I don't want the wireless computers to access ANYTHING on the LAN interface (also don't want them to access anything between wireless computers (windows share etc…)
But, I want the LAN interface to be able to access the WIRELESS interface (to setup the access points for example).

===================

Here are the rules I've setup for the WIRELESS interface.

Rule      Proto                  Source          Port  Destination    Port        Gateway  Comment

BLOCK      IPv4+6                  *                *      LAN net        *          *        (Block WIRELESS->LAN)
ALLOW      IPv4TCP/UDP            WIRELESS net    *      This Firewall  53 (DNS)    *        (Allow DNS request)
ALLOW      IPv4TCP/UDP            WIRELESS net    *      This Firewall  3128        *        (Allow proxy access to access HTTP)
ALLOW      IPv4TCP                WIRELESS net    *      *              443        *        (Allow HTTPS websites)

The problem I got with that setup is that for some reasons, some websites won't show up (not all, but somes).
When I look at the logs, the firewall bloqued requests to 192.168.0.1:443

I think it's related to the proxy as some pages might be cached in my pfsense box.

So, I changed the rules to :

Rule    Proto                  Source          Port  Destination    Port        Gateway  Comment

ALLOW    IPv4TCP                WIRELESS net    *      This Firewall  443 (HTTPS) *       
BLOCK    IPv4+6                *                *      LAN net        *          *        (Block WIRELESS->LAN)
ALLOW    IPv4TCP/UDP            WIRELESS net    *      This Firewall  53 (DNS)    *        (Allow DNS request)
ALLOW    IPv4TCP/UDP            WIRELESS net    *      This Firewall  3128        *        (Allow proxy access to access HTTP)
ALLOW    IPv4TCP                WIRELESS net    *      *              443        *        (Allow HTTPS websites)

Now, everything works fine.

BUT, there is a downside effect (that's why I'm here)

Anybody now connected to the WIRELESS interface can get access to the pfsense connexion page.
Even if it's protected with a password, I would like them not to be able to access that page.

Is there a way to achieve that goal with my setup?

Also, if you think I'm doing it wrong that way, have you got any idea how I could block as much as I can to the WIRELESS interface but let users have a basic internet access (http, https only)?

Please, let me know if you need more details about my setup.

Thanks A LOT in advanced as I'm struggling with that issue for a very long time now.

cmb

Where you're using Squid, its access controls have to be used to restrict what you don't want those clients to be able to reach. The firewall rules on the clients' interface in that case are only allowing traffic to the proxy, the proxy's config has to apply any restrictions on HTTP and HTTPS from there.

manslipkorn

Hello cmb, thank you very much for your very quick reply (and sorry by the way as I created that topic in the firewall forum's instead of the proxy's one).

So, I've tried to do what you told me, unfortunately, I can't make it to work as my pfsense box is setup to be used with HTTPS (and transparent proxy can only handle HTTP).
So, if i'm logged in on the wireless interface and type 192.168.0.1 in my address bar, it will redirect me to https://192.168.0.1 even if I ask squid to not allow that.

Also, sorry for that, my previous post isn't clear about my rules, so here is a screenshot (easier to see the rules i set up).

As you can see on that picture, I first block eveything to the LAN network. Then, it's OK, i cannot access https://192.168.0.1, but as a downside effect, websites don't show properly or take ages to load (I think it's because elements blocked by the proxy show a white pixel located on the pfsense box accessible through 192.168.0.1.

To make websites load properly I have to set it up that way.

But, the downside effect is that I can access the pfsense login page (and I don't want people I don't know connecting through WIFI to be able to access or see that page).

And, I think I finally find a workaround. It seems to work fine, but you guys might find a better way of doing it.

I just changed the block rule to LAN to reject like this:

Now, websites show normally (quickly as it should), and I cannot access my pfsense through the LAN IP 192.168.0.1 or pfsense.domain.com.
It seems that computers connected to the WIRELESS network are still able to access the login page though the WIRELESS gateway 10.0.0.1.
I'll look for a firewall rule.

Or, is there a way to tell pfsense to allow login only through the LAN interface and not any other one?

Also, what do you think of that firewall setup, does it look restrictive enough for you?
Is there an easier method of achieving the same goal?

Thanks a lot again for your help.
I'll let you know :)