Migrating from TMG 2010, understanding Rules



  • I've finally reached a point where I need to migrate from my TMG 2010 to a new firewall appliance. I just wanted to understand the firewall rules a bit with pfsense. I had the default rule set with the RFC 1918 removed from the WAN due to my private IP addresses in my Internal and DMZ subnets. I created 3 simple rules on the LAN interface for DNS, HTTP, HTTPS, from any to any with specified port (53, 80, 443). I can browse the internet from a LAN device no problem.

    I wanted to understand how I should create rules I'm transferring from my TMG setup. When I initially created a rule I was thinking it should be something like: Interface-LAN IPv4 TCP, source-LAN_net port: 53 Destination: WAN_net port: 53. I do not believe this works. If I'm trying to create specific rules allowing certain protocols, is having source and destination as any with a specified port the same thinking and functionality as what my TMG was doing?

    My network is pretty standard, LAN and DMZ subnets. I allow internet from my LAN domain clients. LAN clients have some DNS, SQL and SCCM port rules for DMZ. The most advanced is the incoming rule sets. I have Citrix, Mail, Activesync, VPN hosting so those rules I'm going to have to work with before finally decommissioning my TMG 2010. Any advice is greatly appreciated. Thanks.

    -SK



  • In the pfSense Docs the behavior of the firewall rules is documented succinctly: https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    Basically each TCP or UDP packet has a header which contents the source IP and the source port and destination IP and port. These together with the protocol type are the items by which the pf filter can control the packet flow.
    So if you want to grant access from LAN to any DNS in the internet, the destination address has to be any, never WAN net. WAN net is the small subnet your WAN address is a member of.



  • @viragomann:

    So if you want to grant access from LAN to any DNS in the internet, the destination address has to be any, never WAN net. WAN net is the small subnet your WAN address is a member of.

    Ahh thank you. This makes sense. So the rules I want to create to allow traffic outside to the internet, i.e. HTTP and DNS for internet browsing will be destination any from source LAN_net. If I want to create rules allowing traffic between subnets i.e. vMotion or DNS & HTTP from the LAN to the DMZ servers, the source would be LAN_net and destination would be DNZ_net with a protocol like TCP/UDP 53 for DNS.

    With the three rules I have for DNS, HTTP, HTTPS and destination any, would this allow HTTP from LAN to DMZ? If I wanted to prevent this, would I need a Deny rule for HTTP from LAN_net to DMZ_net?

    -SK



  • By default, LAN already has an Allow All to Any rule.  Each interface has a hidden Deny All rule that you can imagine being at the bottom of the rules list.  All access is denied by default; you must add rules to allow access.



  • @KOM:

    By default, LAN already has an Allow All to Any rule.  Each interface has a hidden Deny All rule that you can imagine being at the bottom of the rules list.  All access is denied by default; you must add rules to allow access.

    Gotcha. I disabled the default LAN all/any rule and created the 3 specific rules for internet on LAN.

    When creating a rule to allow traffic from external in, for instance if I wanted to RDP to a specific LAN server from the internet. Would the source be WAN_net and destination be LAN_net to a specific host/IP? This rule would be created on the WAN rules? I have 5 static public IP's with my business ISP.

    -SK



  • if I wanted to RDP to a specific LAN server from the internet.

    A better option would be to set up OpenVPN.  VPN in and then use RDP.  Don't expose RDP to the outside world if you can help it.

    Would the source be WAN_net and destination be LAN_net to a specific host/IP?

    WAN_net is only the subnet your WAN is on.  You want Any instead.  The destination would be the specific IP address of the server on LAN.

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    This rule would be created on the WAN rules?

    Rules are applied to traffic that enters the interface, so any traffic you want to allow IN to your network from Internet must be put on WAN.

    I have 5 static public IP's with my business ISP.

    Configure them as Virtual IPs.

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses



  • Thanks KOM. I have a Citrix infrastructure was just using RDP as a quick example ;) Thanks for the info. This will get me off the ground much quicker. I've been using TMG since it was ISA 2004 way back when and it's just not performing anymore. I have been trying to hold off replacing it, but it looks like with pfSense I can do so much more!

    -SK



  • In pfSense you may also let create the firewall rules for incoming traffic automatically by the NAT prot forwarding rules. Take a look at the option "Filter rule association".

    If you allow traffic from an internal interface to the internet with destination "any", this allow also traffic to other interfaces, off course. If you don't want this you have to restrict the destination in your rule. E.g. you can set the invert check at destination and select LAN net to allow access to anywhere but LAN. If you need different subnets here, add an alias including all at first and use this alias in the destination box.


Log in to reply