More efficient way to block traffic between netwoks?



  • I have a pfSense firewall set up with a bunch of networks, and the way I want it to work is I want to block SMTP outbound from all networks, I want to block access to the pfSense interfaces on all but the LAN network, and I don't want any of the networks (other than the LAN which should be able to access all) to be able to access anything other than the internet.

    Below is how I have it set up and it works - but is there some more efficient way to do this that I'm missing, rather than having to add more rules everywhere any time I add a network?



  • An alias maybe ?



  • LAYER 8 Netgate

    For something like blocking SMTP for all networks - and anything else that can be the same for all interfaces - you can use an interface group. Put all interfaces in a group and put the block rule on the group tab.

    Group rules are processed before individual tab rules.



  • Thanks for the tips - I do want to block SMTP for most all networks, but there are exceptions, so using a group for that would be a problem since the groups process first.
    I think I have this figured out how does this look?

    I've set the 'Internal_Networks' Alias to contain all of the internal networks, including LAN and DMZ, and I've set the 'InternalGroup' interface group to encompass everything except the LAN and WAN. So this way, if I understand it correctly, anything that's in the 'InternalGroup' group and is a a member of 'Internal_Networks' that tries to access anything that's a member of 'Internal_Networks', it'll be blocked, and if it's a member of 'InternalGroup' and a member of 'Internal_Networks' and tries to go somewhere other than 'Internal_Networks' (such as the internet), it'll be allowed?

    Come to think of it, that might prevent my block SMTP rules from working on the individual interfaces, so I probably just want to block access to 'This Firewall' and 'Internal_Networks', and continue to block SMTP and allow everything else at the interface level. This way, if I add a network, I just add that interface to the 'InternalGroup' and it's network to 'Internal_Networks' and most of the rules are set up. Does that seem correct? Although at that point, it seems like there isn't much point to the interface group - it's really only saving me three lines at each interface, and using the alias, once a new network is added to the alias, I don't have to go back and add rules to each and every network to add new block rules.



  • Almost - see attachment. (ignore my descriptions)



  • LAYER 8 Netgate

    You have to be careful with pass rules on an interface group because states created by an interface group rule do not get reply-to. That is generally OK for an interface group of LAN interfaces as is the case here but it is something that you need to be aware of. Can wreak havoc with WANs especially if there is multi-wan involved.

    I would probably put the pass rule on the interfaces themselves. And maybe a separator at the top referring to the fact that there are interface group rules in play.

    I would also probably source the interface group block rules from address any and make the pass rules specific to the interface network.


  • LAYER 8 Netgate

    @moikerz:

    Almost - see attachment. (ignore my descriptions)

    Your guests can pull up the webgui on VLAN9Guest address



  • @Derelict:

    Your guests can pull up the webgui on VLAN9Guest address

    This is where I say "lol" and go fix my oversight …  ::)



  • Thanks for the tips. I ended up going away from the interface group as in the end, it really wasn't saving much on the rules at the interface level. The Alias was a good idea and made a big difference. Using the alias, if I add a network, I just add that network to the alias and set up all the same rules on the new network and it's done - I don't have to go back and add the new network to all of the existing networks manually.

    I did find that with the block 'Internal_Networks to Internal_Networks', the rule to block access to the firewall on 80 & 443 may not be needed (But I'll probably leave them anyway). I accidentally set one network with the Internal to internal rule set to allow, and I was able to ping that networks gateway address (as well as others), but when set to block, I can't even ping that networks gateway, but internet access is fine on all networks.


Log in to reply