Is my network safe?



  • I have posted here before asking about how to setup a guest network and now I finally got around to doing it. My last question that remains is if it is safe.

    Here is what I did:

    • I coppied the "Allow LAN to any" rule to OPT1 (my guest network interface)
    • I created a rule to block traffic from OPT1 net to LAN net on OPT1
    • I created a rule to block traffic from LAN net to OPT1 net on LAN
    • I created to aliases: one with the two IP-Adresses of the pfSense Web Interface, one with the Port 80,443 and 22
    • I created a rule on OPT1 to block traffic to that

    What I tried to achieve was that the two networks can only talk to the WAN Interface, and that the guest network is not able to access the Web Interface of pfSense (which it is not, I tried that)

    Is this setup correct or should I change something?



  • This actually looks good to me.


  • LAYER 8 Global Moderator

    "What I tried to achieve was that the two networks can only talk to the WAN Interface"

    So you don't want internet - just your WAN IP??

    "I created to aliases: one with the two IP-Adresses of the pfSense Web Interface, one with the Port 80,443 and 22"

    So did that in include WAN IP?  If not your guest is going to be able to access your gui via that IP..  Why not just use the build in this firewall alias?

    Post up you rules so we can actually see what you did, what you think/say you did..



  • @johnpoz:

    "What I tried to achieve was that the two networks can only talk to the WAN Interface"

    So you don't want internet - just your WAN IP??

    "I created to aliases: one with the two IP-Adresses of the pfSense Web Interface, one with the Port 80,443 and 22"

    So did that in include WAN IP?  If not your guest is going to be able to access your gui via that IP..  Why not just use the build in this firewall alias?

    Post up you rules so we can actually see what you did, what you think/say you did..

    Here you can find two screenshots of the firewall rules for LAN and OPT1:
    https://drive.google.com/file/d/0B5MY92jm0NVhWFBoU1oxZHN3cXc/view
    https://drive.google.com/open?id=0B5MY92jm0NVhMkhvbFdsektDeXM

    I want my guests to access the internet but that already works, I only want to know whether or not they can access devices on the LAN Interface or the web configurator with the configuration I have right now.
    Admin adresses is the alias for the two adresses to access the web configurator and admin ports is the alias for port 80,443 and 22.

    Thanks for helping me.


  • LAYER 8 Global Moderator

    What do you think the block opt1 address to lan address, and the opposite does?  Your saying the opt1 IP of pfsense can not talk to the lan IP of pfsense if the OP1 ip was source inbound to the opt1 interface… Which it never would be..

    Rules are evaluated inbound to an interface from the network towards pfsense.. Those rules above would never ever happen..  From the top down, first rule to trigger wins no other rules are evaluated.

    if you want to block opt1 from admin ports,  you need to make sure your wan address is in that alias..

    Be easier to allow what you want to talk to pfsense, say dns to the opt1 interface.  Then block "this firewall" as the destination - its a built in alias



  • @johnpoz:

    What do you think the block opt1 address to lan address, and the opposite does?  Your saying the opt1 IP of pfsense can not talk to the lan IP of pfsense if the OP1 ip was source inbound to the opt1 interface… Which it never would be..

    Rules are evaluated inbound to an interface from the network towards pfsense.. Those rules above would never ever happen..  From the top down, first rule to trigger wins no other rules are evaluated.

    if you want to block opt1 from admin ports,  you need to make sure your wan address is in that alias..

    Be easier to allow what you want to talk to pfsense, say dns to the opt1 interface.  Then block "this firewall" as the destination - its a built in alias

    So I could delet the LAN to OPT1 adress and OPT1 to LAN adress.

    To configure this I just followed a tutorial, I just wanted to know if what I did is correct.

    My WAN adress is an adress outside my network since I am using PPPoE (I live in Italy)


  • LAYER 8 Global Moderator

    what tutorial would state to put in such a rule?  There is no tutorial that should say that..

    No your Wan address is NOT outside your network… Where would you get such an idea??



  • @johnpoz:

    what tutorial would state to put in such a rule?  There is no tutorial that should say that..

    No your Wan address is NOT outside your network… Where would you get such an idea??

    Here is a screenshot of my WAN IP-Adress:
    https://drive.google.com/open?id=0B5MY92jm0NVhWVFSSXR0OE9EdWs

    I am sorry if I make a big mistake here but why would I have to block that IP-Adress? I thought pfSense only lets you access the web configurator on the Wan interface if there is no other Interface configured?



  • @johnpoz:

    what tutorial would state to put in such a rule?  There is no tutorial that should say that..

    No your Wan address is NOT outside your network… Where would you get such an idea??

    I just figured out what you said, and tried to access the web configurator with the WAN IP-Adress and it still worked so I blocked that too.
    Here are two screenshots of my new rules:
    https://drive.google.com/open?id=0B5MY92jm0NVhdFFveHFUUG9fckk
    https://drive.google.com/open?id=0B5MY92jm0NVhVndSaS1SbDhfemc

    admin adresses are the two adresses of the router on the two interfaces and my WAN IP
    admin ports is still port 80, 443 and 22

    Is this correct now?
    Thanks for helping me.


  • LAYER 8 Global Moderator

    What happens when your WAN IP changes?  This is why its better to use the this firewall built in alias..  What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.

    You should allow the traffic you want to the opt1 IP, say ping and dns.  And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.



  • @johnpoz:

    What happens when your WAN IP changes?  This is why its better to use the this firewall built in alias..  What happens when you bring up a new vlan/interface and for get to block opt1 from getting to it.

    You should allow the traffic you want to the opt1 IP, say ping and dns.  And then block via the "this firewall" dest this blocks all access to any IP on the firewall along with any new ones or when they change, etc.

    I tried that before. I coppied the allow Lan to any rule to the opt1 interface (the way I have it now) and used the build in "this firewall" rule to block traffic to the web configureator, but my Internet connection doesn't work anymore if I do it that way instead of the rule that I created with the adresses and the ports.

    Have I made a mistake? While I tried that I also had the block traffic to Lan rule configured the exact way I have it now (but that shouldn't make a difference)


  • LAYER 8 Global Moderator

    you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.

    Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc.  Also if you bring up new interfaces you have to remember to alter your alias, etc..

    The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..



  • @johnpoz:

    you have to ALL the traffic you want to the firewall before you block to firewall - for example DNS.. If you do not allow dns to the op1 interface then no clients would not be able to lookup anything and go to internet.

    Its not a mistake per say, but the way you have the rules you not accounting for changes in your WAN IP.. since your PPPoE pretty sure your IP is going to change, etc.  Also if you bring up new interfaces you have to remember to alter your alias, etc..

    The whole point of this "this firewall" is to allow simple blocking to the firewall any IP..

    I understand the problem with my current configuration. Can you maybe give my a screenshot of what the ruleset should look like?


  • LAYER 8 Global Moderator

    something like this for example - minus the stuff you do not need or want.

    I allow ping to the interface
    allow dns
    allow ntp to my ntp servers on different network
    I then block all access to any firewall IP.
    I them allow access from this segment to the dmz segment of mine
    I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 space




  • Johnpoz,
    Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?

    The reason I ask is I too do not want other interfaces to access my LAN.

    I think your "!RFC1918" rule prevents access to other interfaces?

    (Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)



  • @johnpoz:

    something like this for example - minus the stuff you do not need or want.

    I allow ping to the interface
    allow dns
    allow ntp to my ntp servers on different network
    I then block all access to any firewall IP.
    I them allow access from this segment to the dmz segment of mine
    I then allow any access that is not rfc1918 space - this allows access to internet but not any of my other networks current or future since they would all be rfc1918 space

    Thank you, I just coppied your configuration and customized it a little bit. It works perfectly fine.



  • @Velcro:

    Johnpoz,
    Does your rule set block access to other interfaces? If you do not want, for example LAN to access Opt1(or visa verse) are additional block rules needed?

    The reason I ask is I too do not want other interfaces to access my LAN.

    I think your "!RFC1918" rule prevents access to other interfaces?

    (Johnlile I have a similar setup, Johnpoz was extremely helpful in getting my 10+ rules down to 3!! Assuming I do not need additional block rules….)

    No, from my understanding you don't need that if you don't create an additional subnet with a weird IP-Adress (one outside of the rfc1918 space)

    EDIT: His rfc1918 is probably an alias (?) so the adress range within that alias is already blocked.


  • LAYER 8 Global Moderator

    yes my rfc1918 is an alias that contains all the rfc1918 space 192.168/16, 10/8 and 172.16/12

    If you did create a network that was public or non rfc1918 then that alias would allow access to that.  But you would only do such a thing if you had public space that was routed to you, etc.

    "Does your rule set block access to other interfaces?"

    No it does not that the whole point of the "this firewall" built in alias - any IP that pfsense would have on any interface would be blocked.  While the rfc1918 ! would all access to anything that was not rfc1918, so if I had another wan type interface with public would be allowed.  The "this firewall" prevents such access, etc..



  • Thanks…my opt1 interface(separate isolated interface and not a WAN) falls within the RFC1918 range. Sorry to jump into the thread but appreciate the help.

    I used your rule #2, 4 and 6 and I can access the net.


Log in to reply