1xwan, 3xlan, natting & firewall rules problems



  • Hi all, happy to be finally posting here after being a long-standing user of pfsense. Never got stuck before like I am now :)

    I have recently redone my installation on my APU-board at home and decided to move away from a bridged setup to 3 separate subnets in the hope to get better flow control and isolate certain devices.

    Network layout:

    
    Modem(bridged) -------- pfsense(lan1)-----pfsense(lan2)------pfsense(wlan)
                                    |                  |                |
                                    |                  |                |-- Several WLAN devices
                                    |                  |-- TV
                                    |                  |-- Mediacenter
                                    |--Main PC
                                    |--NAS
                                    |--DevBox
                                    |--Printer
                                    |--Other stuff
    
    

    LAN1 = 10.0.0.x/26 - 255.255.255.192 - DHCP: range x.x.x.50–>x.x.x.60
    LAN2 = 10.0.1.x/26 - 255.255.255.192 - DHCP: None
    WLAN = 10.0.2.x/26 - 255.255.255.192 - DHCP: range x.x.x.10-->x.x.x.60

    Inbound PureNAT portforwarding (with autorules) was set up for making certain services available over the WAN, this works fine.

    Straight out of the box this already worked almost perfectly, except for that, for example, the NAS was not reachable from the WLAN subnet. All other devices like the printer ect, however, worked fine. Also, the problem was not the NAS itself as it was reachable from the WAN, from LAN2 and from inside LAN, just not from the WLANaddress.

    I solved this by adding the "outbound NAT" to hybrid, and creating the following manual rules:

    Natting:

    
    ---------------------------------------------------
    interface      | Source           | NAT Address 
    ---------------------------------------------------
    LAN1           | 10.0.2.0/26    | LAN1address
    LAN1           | 10.0.1.0/26    | LAN1address
    ---------------------------------------------------
    etc until all subnets have been crosslinked
    
    

    My (default) routes look like follows:

    
    default	        x.x.x.x      UGS	320976	1500  	re0	
    10.0.0.0/26	link#2	U	791211	1500	        re1	
    10.0.0.1	        link#2	UHS	0	        16384	lo0	
    10.0.1.0/26	link#3	U	181499	1500  	re2	
    10.0.1.1     	link#3	UHS	0	        16384	lo0	
    10.0.2.0/26	link#9	U	3629332	1500 	ath0_wlan0	
    10.0.2.1     	link#9	UHS	202678	16384	lo0	
    127.0.0.1   	link#8	UH	6642 	16384	lo0	
    
    

    Eureka, connections to everywhere are now possible :) not sure this was the right way to do it, but at least it works at which point the wife was happy to be able to browse Amazon again :D

    We now reach the point where I think I'm stuck: the firewall rules

    Starting at WLAN, just a few rules are on this interface, as I don't want to allow much incoming (unsolicited)traffic on this subnet:

    • lockout rule source:WLANnet –> destination WLANaddress port:443 https
    • source:WLANnet --> destination:WLANaddress port:53 DNS
    • source:WLANnet --> destination:any port:any

    This last rule makes my internet work, without it no WLAN device is able to access anything outside the subnet it's in. logical really.

    However:

    • this is also leaking traffic to the other subnets, for example on LAN1 I do not explicitly allow port 433 of the printer to be accessible, but as long as this "allow any" rule is active that service is reachable from inside the WLAN.

    I need to prolly change the way I think about this, who can point me in the right direction to reach the following goals:

    • always allow free traffic inside each subnet
    • not to allow crossover traffic to other subnets unless specifically specified
    • help packages find their way to the gateway without the help of "allow any"
    • VLAN is not an option as I use a couple of switches (1 per subnet) that won't support managed options

    What i'm trying to do here is probably not that hard, and I feel I'm close, however, i suspect I'm making a couple of logic thinking errors due to my limited networking knowledge. Any help = appreciated.