Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dedicated management port for pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 5 Posters 10.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      borisnet
      last edited by

      Hi all,

      I was wondering if there is a way to dedicate an interface to be a management interface in its own VRF like what quite a few appliances/routers etc… are doing today.
      The values are:

      • management traffic stays within the VRF
      • you can have a default GW to an OOB network
      • the traffic processed by pfSense over other interfaces in the default routing table would never reach the management VRF and you don't need to maintain a policy to protect access to pfSense management.

      The problems are:

      • I would expect the pfSense GUI would have to be VRF aware and be able to control interfaces outside this VRF - it is definitely not available today
      • I was thinking about a workaround by leverage setfib in FreeBSD but again, I am not sure how much can be done outside the GUI when it comes this kind of fundamentals.

      Has anybody looked at something like that in the past?

      Thanks.

      1 Reply Last reply Reply Quote 1
      • H
        Harvy66
        last edited by

        A quick glance at Wiki about VRF and it has nothing to do with interfaces, just routing. Is there a reason why you want to route the management interface differently? Routing is not a security feature. Using routing to implement security is just asking for trouble.

        If you want to make a secure interface, either have a dedicated physical interface or use a VLAN, then use the firewall to block all other interfaces from accessing PFSense directly. Firewalls add security.

        If I am making some bad assumptions, someone please correct me. I am not familiar with VRFs.

        1 Reply Last reply Reply Quote 0
        • S
          SoulChild
          last edited by

          Well, it's pretty common for network devices to be managed in a separate network, even separated routing-wise.

          This ensure that compromised end-services can't reach all management network functions in a routed enviroment.

          Basically, your control interface should be separated from your functional data-path, ideally.

          1 Reply Last reply Reply Quote 0
          • B
            borisnet
            last edited by

            @Harvy66:

            Using routing to implement security is just asking for trouble.

            It is not implementing security per se, it is just enforcing a very strong separation to keep the management interface totally isolated from the operation of the firewall itself.

            @Harvy66:

            If I am making some bad assumptions, someone please correct me. I am not familiar with VRFs.

            SoulChild provided you with a nice justification which matches exactly what I am trying to do.

            1 Reply Last reply Reply Quote 0
            • JeGrJ
              JeGr LAYER 8 Moderator
              last edited by

              I think the closest you'll come to with pfSense at the moment is using a dedicated management NIC or VLAN as "LAN" while installing pfSense so it ensures, the anti-lockout rules etc. are only enforced (when selected) on that mgmt interface. On all other NICs don't allow access to the firewall per se or explicitly block it with a floating rule from anywhere other than mgmt.

              That doesn't isolate the mgmt interface routing wise though. This option indeed would be nice to have, as otherwise it can happen that one created asymmetric routing for devices that reside on mgmt network but are routed OOB via another gateway.

              Some thing like VRF or even the ASA-like security contexts would certainly be nice to have.

              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • B
                borisnet
                last edited by

                @JeGr:

                I think the closest you'll come to with pfSense at the moment is using a dedicated management NIC or VLAN as "LAN" while installing pfSense so it ensures, the anti-lockout rules etc. are only enforced (when selected) on that mgmt interface. On all other NICs don't allow access to the firewall per se or explicitly block it with a floating rule from anywhere other than mgmt.

                That doesn't isolate the mgmt interface routing wise though. This option indeed would be nice to have, as otherwise it can happen that one created asymmetric routing for devices that reside on mgmt network but are routed OOB via another gateway.

                Some thing like VRF or even the ASA-like security contexts would certainly be nice to have.

                Yep, my problem is the OOB I have is fairly large and I need the devices to be able to have their own gateway so whoever is coming internally from a non-connected network to the LAN interface can get back to it.

                Let's say pfSense LAN interface is on 192.168.0.0/24, then I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface.

                1 Reply Last reply Reply Quote 1
                • S
                  SoulChild
                  last edited by

                  If this were linux, you could use network namespaces for this. But then  you're really into uncharted waters with PFSense, I think…

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    " I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface."

                    You would not connect a downstream router via the "lan" you run into asymmetrical routing that way.  If you need to connect downstream router to pfsense then that would be via a transit network.  You don't put hosts on a transit.  If you do everyone of those hosts would need to have host routing to tell them which gateway to use to get to which network, etc.  Its a logistic nightmare which is why you use transit networks to connect routers.

                    Isolation of what interface you use to management pfsense very simple.  Create a new network and use that network as your management be it you use a whole physical interface for this or a vlan is up to you.  Generally speaking if you want an isolated managment network use of the "lan" would be good since it has the antilock rules on it.  Then all your other networks connected to pfsense would be on opt interfaces or vlans running on lan or opt interfaces.  But again when connecting another router be it downstream or even stream of pfsense it would and should be via a transit network.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      borisnet
                      last edited by

                      @SoulChild:

                      If this were linux, you could use network namespaces for this. But then  you're really into uncharted waters with PFSense, I think…

                      Agreed but then on linux there is no pf ;-)

                      1 Reply Last reply Reply Quote 0
                      • B
                        borisnet
                        last edited by

                        @johnpoz:

                        " I am coming from another subnet further down the 192.168.0.0/24, the pfsense would need a gateway on the LAN interface and I am not very clear on pfSense different gateways especially when one is pointing at the upstream through the WAN and the other one is pointing as the downstream infra through the LAN interface."

                        You would not connect a downstream router via the "lan" you run into asymmetrical routing that way.  If you need to connect downstream router to pfsense then that would be via a transit network.  You don't put hosts on a transit.  If you do everyone of those hosts would need to have host routing to tell them which gateway to use to get to which network, etc.  Its a logistic nightmare which is why you use transit networks to connect routers.

                        Isolation of what interface you use to management pfsense very simple.  Create a new network and use that network as your management be it you use a whole physical interface for this or a vlan is up to you.  Generally speaking if you want an isolated managment network use of the "lan" would be good since it has the antilock rules on it.  Then all your other networks connected to pfsense would be on opt interfaces or vlans running on lan or opt interfaces.  But again when connecting another router be it downstream or even stream of pfsense it would and should be via a transit network.

                        Thanks ! I am not entirely sure I got your point except that it's likely to be messy which I know well ;-)
                        I will keep it simple for now and just add a route to my few networks in my out-of-band management network.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.