Order of firewall rules to access remote subnet over VPN?

  • Hi all,

    I have 7 vmnics setup in pfSense running under ESXi 6.0. Each vmnic is assigned to a client and I segregate traffic between each of the vmnic by means of firewall rules.

    I currently have multiple Network Aliases setup that include the subnets I want to prevent traffic flowing between with the exception of the subnet I applied the rule to.
    I came to understand recently that while this approach might work, it may have been unnecessary and resulted in the creation of a lot of aliases as you can see:

    I watched Jim Pingles DMZ webcast recently and learned that there may be a better way of preventing traffic from communicating with other subnets by way of creating a single Network Alias that includes the RFC1918 addresses, so I created that and applied a 'reject all' rule to one of my clients subnets and removed the previously applied block rule so now there's only one 'block all' rule which looks like this:

    I'm unsure as to the ordering of the firewall rules because for this particular client, in the screenshot above, I need to be able to communicate with two subnets which lie in a remote network over an IPSec site-site VPN.  The remote subnets are in the RFC1918 space too ( and respectively).  If I order the 'Block RFC1918' rule to be at the top of the list I am unable to ping the remote subnets over the VPN.  When I move that rule to the bottom of the list I can ping the remote subnets.  Doesn't this, however, completely defeat the purpose of the 'Block RFC1918' rule?

    How can I effectively ensure, by means of rules, that I can block traffic between vmnics so that client systems cannot see one another but still allow access to remote subnets over IPSec site-site VPN's?

  • LAYER 8 Global Moderator

    You create a rule(s) that allow the traffic you want to your specific rfc1918 addresses/networks, you then have the block all rfc1918 rule and then you have your allow any.

    Rules are top down, first rule wins..

  • @johnpoz:

    You create a rule(s) that allow the traffic you want to your specific rfc1918 addresses/networks, you then have the block all rfc1918 rule and then you have your allow any.

    Rules are top down, first rule wins..

    In my second picture above, though, doesn't that rule order nullify the last rule?  I don't understand, it's allowing all, then it's denying all.  Surely that defeats the point of prevening hosts on this network from communicating with hosts on another network?

  • LAYER 8 Global Moderator

    first rule wins… Your first rule is any any allow..  So when would it ever look at your 2nd rule??

    Create a rule that allows the traffic you want.. use dest whatever network you want to allow. Create an alias and put your 2 networks in there if you want..
    Next rule is block anything to rfc1918..
    3rd rule any any..

    So if you want to go to say internet lets look at the rules.  Is it to that specific dest network, no then skip that rule it does not fire
    Is the dest to a rfc1918 address, no then skip.
    Oh last rule - yeah allow..

    Lets say your traffic is to some other rfc1918 address that is NOT in your allow rule at the top.

    Does not match first rule skip it
    2nd rule oh well its rfc1918 BLOCK..
    3rd rule - never gets here already been blocked.

    Just run through your rules top down with the sort of traffic your wanting to allow or block and as you move down the rules evaluate would that rule trigger or be skipped?  If triggered than that action is performed, allow, block, reject..  Once a rule triggers it stops looking at the rest of the rules.  If no rules trigger then it hits the last rule that is not actually shown which is block any any..

  • So if I order the 'Block RFC1918' rule at the top of the list it's first default order of operation would be to block any traffic destined to any RFC1918 address (with the exception of it's own subnet if I understand correctly?), but then how would I allow traffic to flow to a remote subnet that is only accessible over a VPN?

    In one example Client A uses the subnet behind pfSense but also uses a and network at a remote office.  If I position the 'Block RFC1918' rule at the top then it's going to block traffic to those remote networks.

  • LAYER 8 Global Moderator

    dude what are you not getting here???

    First rule allow the dest of the networks/vlans you want that are in your rfc1918 space.  The ones on the other side of your vpn tunnel.

    Then your block rule to your rf1918 alias

    Then a any any allow..

    As to traffic on the same network/vlan - when would that ever hit pfsense..  Traffic local to a network doesn't ever go to pfsense.. Pfsense as a router/gateway is only ever talked to get OFF the local network..

    Here lets walk thru rules on my wlan (wifi) network..  Devices on this network are mine that support auth via eap-tls..  This network is

    So first 2 rules allows devices on wlan net to ping pfsense IP both its ipv4 and ipv6 address.

    3rd rule allow my IP of my ipad which always gets IP adddress to do anything it wants, its an any any rule, it can talk to any device on any of my other ipv4 networks, out any vpn connection, talk to remote vpn clients, etc. etc.. If its my IPad it would never get past this any any rule.. Since anything my ipad would be trying to do would be allowed by this rule.. So to the ipad the rest of the rules are meaningless. I don't care to let my ipad via ipv6 do anything with IPv6 etc. etc. which is why this rule is only ipv4.  I might change it at some point.. But currently doesn't matter.. I could for sure lock this down more, but you have to auth via eap-tls to even get on this network.  This is my ipad nobody else uses it, etc.  So to make my life easier I don't have to worry that something I want to do with it might be blocked, etc.

    4th rule allows anything on wlan net to talk to my plex server that is on my lan network (192.168.9/24) on tcp port 32400.  Say my wifes laptop, our phones when using wifi, etc.

    5th and 6th rules allow access to my harmony remote hub and my directv dvr - I have not locked these rules down to ports yet or locked them to any specific source IPs on the wlan net..  I keep meaning to lock them down farther..  Not even sure if they are ever needed.. But this allows say my phone to hit my harmony hub or directv dvr via ios apps on the phone, etc..

    7th I then allow any device on wlan net to talk ntp to my ntp servers that are both on my lan network.

    8th I then allow devices be ipv4 or ipv6 on wlan net to ask pfsense for dns.

    9th I allow my wifi aps, that are on the wlan network (I have 3 of them and their ips are in that alias) to talk to pfsense for radius auth on udp 1812.

    10th rule anything else coming from this network that tries to talk to any other IP on pfsense, be it another lan IP be it wan IP v4 or v6, etc.. is rejected and logged.. So for example if one of my AP tried to talk to pfsense any IP at all say on ssh (22) it would be rejected and logged by this rule.

    11th this all devices on wlan network to go to anything else that is "NOT" rf1918, so this rules allow access to internet, but prevents access to any of my other networks or any vpn remote users, etc..  If its a rfc1918 address if not allowed or already blocked would be blocked by this rule.. Since only NON rfc1918 address are allowed.

    12 and final rule is the same as 11th rule but blocks all access to any of my other IPv6 networks.. I have a /48 and /64 from HE via tunnel.  So this rules say hey you want to go to some IPv6 address, as long as its not any of my network your allowed.

    If some traffic gets all the way through these rules and does not trigger any rule then it would hit the default deny and be blocked..

    I use source network of the wlan network just to make it clear what interface and what networks our on this segment.  Pfsense would never see traffic from anything other than wlan network (192.168.2/24) but this makes the rules precise and easy to read, and if by off chance there was a downstream router connected here and had some other network say for example 192.168.14/24 or something it would not be allowed by any of the allow rules since they are locked to wlan net as source or specific IPs on the wlan net.

    Give me the networks you would like to allow traffic too and I will post up example using those networks.

  • John,

    for that Plex rule,  do you need a corresponding rule on the subnet where Plex is or does that one rule take care of everything?

  • LAYER 8 Global Moderator

    Pfsense is a stateful firewall, no you do not need a corresponding rule on the return traffic interface..

    You only need rules on where the traffic will enter pfsense.. Do you need rules on your wan to allow websites to answer? ;)

  • thanks John, as always!

Log in to reply