Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    No destination interface in firewall rules

    Firewalling
    3
    13
    1632
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ichilton last edited by

      Hi,

      There doesn't seem to be the ability to specify a destination interface in firewall rules? - why is this?

      I have a number of VLANs and other than in specific cases, I don't want them to be able to route to each other - generally just to the internet.

      So for this, I have to have an alias containing a list of local network ranges, and then have a firewall rule like:

      interface: LAN
      src: LAN NET
      dest: ! local_networks

      instead of:

      interface: LAN
      src: LAN NET
      dest interface: WAN

      Is that the only/best way to do it, or am I missing something?

      Thanks,

      Ian

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Huh?!

        :o ::)

        1 Reply Last reply Reply Quote 0
        • I
          ichilton last edited by

          That's destination address, not interface.

          In the case of my question, the destination address is everything, except a few subnets.

          The simplest way of doing that was to list those subnets in an alias.

          But destination interface (WAN) would be simpler.

          Thanks,

          Ian

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            @ichilton:

            That's destination address, not interface.

            Ugh, maybe look at the dropdown as well?  What'd you figure the LAN net etc. is for there?

            1 Reply Last reply Reply Quote 0
            • I
              ichilton last edited by

              LAN net is the subnet on the LAN interface - not the interface itself.

              If I set the destination to WAN NET, then i'd only be able to access my own allocated subnet, not the rest of the internet.

              1 Reply Last reply Reply Quote 0
              • I
                ichilton last edited by

                For clarification, my question was whether there was a better way to do this rule, without having ! local_networks.

                local_networks is an alias containing 10.0.0.0/8, my allocated v4 subnet and my allocated v6 subnet.

                ![Screen Shot 2017-01-26 at 11.11.22.png](/public/imported_attachments/1/Screen Shot 2017-01-26 at 11.11.22.png)
                ![Screen Shot 2017-01-26 at 11.11.22.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-26 at 11.11.22.png_thumb)

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  Yes, WAN net is not internet and layer 2 is not layer 3. The request here makes no sense. (And what you are asking has been discussed about 5496 times before.) Have a nice day.

                  1 Reply Last reply Reply Quote 0
                  • I
                    ichilton last edited by

                    so you would do it like I already have?

                    In iptables, I would do it this would be like:

                    iptables -A FORWARD -i eth0.4 -o pppoe0 -s 10.4.0.0/24 -j ACCEPT

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      if your wanting your clients to go to the internet??  From the lan network, then you could use dest any?

                      Or sure you could use ! not to say as long as your not going here, its ok.. Or you could use the dest any, and above that put in block rules to your other vlans.

                      "I don't want them to be able to route to each other - generally just to the internet."

                      How I accomplish this is with a simple alias that I put in the rfc1918 space..  I know for sure that all my vlans will be in this space ;)  So I use a ! rule to say not rfc1918 space have at it allowed.  So this lets them go to the internet, but not my other networks.  See example attached, I let that network ping pfsense, let it use it for dns.  I have rule that allows access to my ntp servers on a different vlan.  But then I block all other access to pfsense on any other IP, lan or wan, etc.

                      Dest interface is sure doesn't tell me that is how you get to the internet.. This rule is clear and easy to understand.. As long as your not going to rfc1918 address its allowed, ie internet..


                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned last edited by

                        @ichilton:

                        In iptables, I would do it this would be like:
                        iptables -A FORWARD -i eth0.4 -o pppoe0 -s 10.4.0.0/24 -j ACCEPT

                        See above. And what you do in iptables is essentially broken, because you are hardcoding the interface name. Not usable. When you re-assign the interface, you get completely BS rules.

                        1 Reply Last reply Reply Quote 0
                        • I
                          ichilton last edited by

                          @johnpoz:

                          How I accomplish this is with a simple alias that I put in the rfc1918 space..

                          Right!! - so you are doing exactly the same thing as me! - except rather than mine just being RFC1918, it includes my ISP allocated subnets too - for both ipv4 and ipv6.

                          The alternative would be block rules on each VLAN, to drop/block packets bound for other vlans, but while using an alias felt a little hacky, it was at least a single rule.

                          Thanks!

                          Ian

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            How is using an alias "hacky"??  Every firewall I have ever used allows the use of "objects" if you will. Juniper, Checkpoint, Forigate, Cisco ASA, etc.. etc.. etc.. Even iptables can use ipsets to store the same thing.. groups of ips, networks, ports so how is it "hacky" ???

                            Would it feel less hacky if pfsense called them "objects" ;) and you could put networks in there, or ports?  Or IPs ;)

                            I have another alias I use for my ipv6 stuff, But I currently am not allowing ipv6 on my dmz segment, so there is pretty useless putting in rules for it ;)  That segment can not go anywhere via ipv6..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                            1 Reply Last reply Reply Quote 0
                            • I
                              ichilton last edited by

                              Maybe hacky was too strong a word!

                              I guess the developer in me was thinking that an alias felt inefficient - a lookup and then multiple instances to parse - so being new to pfsense, I wanted to check I was doing it the best way. Pleased that looking at your screenshot that i'd come up with almost identical rules of you :)

                              Thanks!

                              Ian

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post