1xwan, 3xlan, natting & firewall rules problems
-
Hi all, happy to be finally posting here after being a long-standing user of pfsense. Never got stuck before like I am now :)
I have recently redone my installation on my APU-board at home and decided to move away from a bridged setup to 3 separate subnets in the hope to get better flow control and isolate certain devices.
Network layout:
Modem(bridged) -------- pfsense(lan1)-----pfsense(lan2)------pfsense(wlan) | | | | | |-- Several WLAN devices | |-- TV | |-- Mediacenter |--Main PC |--NAS |--DevBox |--Printer |--Other stuff
LAN1 = 10.0.0.x/26 - 255.255.255.192 - DHCP: range x.x.x.50–>x.x.x.60
LAN2 = 10.0.1.x/26 - 255.255.255.192 - DHCP: None
WLAN = 10.0.2.x/26 - 255.255.255.192 - DHCP: range x.x.x.10-->x.x.x.60Inbound PureNAT portforwarding (with autorules) was set up for making certain services available over the WAN, this works fine.
Straight out of the box this already worked almost perfectly, except for that, for example, the NAS was not reachable from the WLAN subnet. All other devices like the printer ect, however, worked fine. Also, the problem was not the NAS itself as it was reachable from the WAN, from LAN2 and from inside LAN, just not from the WLANaddress.
I solved this by adding the "outbound NAT" to hybrid, and creating the following manual rules:
Natting:
--------------------------------------------------- interface | Source | NAT Address --------------------------------------------------- LAN1 | 10.0.2.0/26 | LAN1address LAN1 | 10.0.1.0/26 | LAN1address --------------------------------------------------- etc until all subnets have been crosslinked
My (default) routes look like follows:
default x.x.x.x UGS 320976 1500 re0 10.0.0.0/26 link#2 U 791211 1500 re1 10.0.0.1 link#2 UHS 0 16384 lo0 10.0.1.0/26 link#3 U 181499 1500 re2 10.0.1.1 link#3 UHS 0 16384 lo0 10.0.2.0/26 link#9 U 3629332 1500 ath0_wlan0 10.0.2.1 link#9 UHS 202678 16384 lo0 127.0.0.1 link#8 UH 6642 16384 lo0
Eureka, connections to everywhere are now possible :) not sure this was the right way to do it, but at least it works at which point the wife was happy to be able to browse Amazon again :D
We now reach the point where I think I'm stuck: the firewall rules
Starting at WLAN, just a few rules are on this interface, as I don't want to allow much incoming (unsolicited)traffic on this subnet:
- lockout rule source:WLANnet –> destination WLANaddress port:443 https
- source:WLANnet --> destination:WLANaddress port:53 DNS
- source:WLANnet --> destination:any port:any
This last rule makes my internet work, without it no WLAN device is able to access anything outside the subnet it's in. logical really.
However:
- this is also leaking traffic to the other subnets, for example on LAN1 I do not explicitly allow port 433 of the printer to be accessible, but as long as this "allow any" rule is active that service is reachable from inside the WLAN.
I need to prolly change the way I think about this, who can point me in the right direction to reach the following goals:
- always allow free traffic inside each subnet
- not to allow crossover traffic to other subnets unless specifically specified
- help packages find their way to the gateway without the help of "allow any"
- VLAN is not an option as I use a couple of switches (1 per subnet) that won't support managed options
What i'm trying to do here is probably not that hard, and I feel I'm close, however, i suspect I'm making a couple of logic thinking errors due to my limited networking knowledge. Any help = appreciated.