Allowing only internet for GUEST Network



  • Hey Guys,

    i actually have a problem within firewalling…

    here is my setup:

    
    3 Interfaces
    - WAN
    - LAN
    - OPT1 (Guest Network)
    
    Alias:
    Internal Networks = internal IP Ranges (172.29.0.0/16, 172.31.0.0/16, 172.27.0.0/16, 172.16.0.0/16, 192.168.0.0/16)
    
    

    and this is my FW Ruleset:

    WAN

    • NO Rules-

    LAN

    | Protocol | Source | Port | Destination | Action |
    | IPv4* | * | * | * | Allow |

    OPT1 (Guest)

    | Protocol | Source | Port | Destination | Action |
    | ICMP | * | * | * | Allow |
    | IPv4* | NETWORK_GUEST | * | ! Internal Networks | Allow |

    –> please notice the inverted selection in bold

    ==================================================================

    The Problem:

    Internet Access is possible for guests. Also blocking for internal range is working.
    But when i have a look into firewall-logs, i can see blocking of several public IPs (see Attachment)

    Any ideas why this is been blocked by firewall?



  • Rebel Alliance Global Moderator

    Wow That many /16 - you must have a shitton of clients..  Like 300,000 or so?? ;)

    Really dude for what purpose would you need /16 and how does that make any sense??

    Those blocks are out of state blocks..  Yeah your going to see those when you get out of state traffic..
    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection



  • @johnpoz:

    Wow That many /16 - you must have a shitton of clients..  Like 300,000 or so?? ;)

    Really dude for what purpose would you need /16 and how does that make any sense??

    Those blocks are out of state blocks..  Yeah your going to see those when you get out of state traffic..
    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    thank you johnpoz, this is a very good tip!

    the reason for the several /16 networks are different departments within the company ;-)
    they are not fully used, as you can imagine  :P


  • Rebel Alliance Global Moderator

    Yeah I can imagine.. Still pointless.. /16 is not a interface type of address..  Its route mask, a summary route, or a firewall rule cidr.. Not a network that an actual interface would be on ;)

    Wouldn't say a /24 or a lets go huge and give them /22.. That would be 1000 devices per dept ;)

    Do you have any vpn users?  I could see these large networks running into conflicts with road warriors networks or any vpn connections you might have to other sites, etc.



  • you're right, this is for migration scenario.
    the /16 are not on Interfaces - this is only alias definition for denying access to this ranges :-)

    Interfaces are /24, using also several vpn and working out of the box.
    Many thanks for your advice!


  • Rebel Alliance Global Moderator

    Migration scenario?

    So you list those as your alias to allow or not allow your guest to go too.  If you don't want your guests going to your local networks.  Why would you not just create a rfc1918 alias and put in the whole space.. This way no matter what networks you bring up on any of your interfaces or new vlans, etc. your guest would not be able to access them.

    So in your alias for rfc1918 space
    192.168/16
    172.16/12
    10/8

    Three entries and guests don't go to your networks ;)

    If see such entries in an alias its clear using that to either allow or block access to rfc1918 space, etc. ;)  What you posted looked like that was the mask on your internal networks..