Accessing other devices on WAN
-
I have a dell R510 running vmware, i have installed pfsense on there in the hope I can remove the hardware firewall and vpn to save power/space i have everything up and running and it seems to work well the only thing that has me stumped is on the LAN side i have an ip range 10.1.100.x sub net 255.255.255.0 on the WAN side I have an ip range 192.168.0.x subnet 255.255.255.0 the previous router pfsense is replacing would not allow the lan side to see any other devices in the 192.168.0.x range on the WAN side which is what I wanted only access to the internet gateway on 192.168.0.1 , where as pfsense seems to allows these devices to be seen, any ideas as to what is causing this?
E.g on in my browser on the LAN side i can type in 192.168.0.23 and see that machine which in the past would not happen.
to add, I basically want to lock it down so that the WAN and LAN are separate WAN to LAN only has port forwarding static rules and LAN TO WAN the usual NAT the way a home router behaves, LAN devices see each other and only outbound internet to WAN.
Many thanks,
Shaun.
-
pfSense has a default allow any to any rule on LAN interface and doesn't restrict the access to a certain gateway.
If you want to prevent access to 192.168.0.0/24 add a block rule with that destination to the top of the LAN rule set.
-
^ exactly.
But I am curious why you would have anything on this network between your pfsense wan and your isp router.. Why not just put everything behind pfsense? And if you want to control access between networks just simple firewall rules vs natting and using port forwarding between rfc1918 space.
The network between your isp and or your router if your having to double nat with pfsense should be a transit network. There should be little reason to put devices on this network.
-
many thanks Guys, the server is in a home setup with the rest of the house on the 192.168.0.x , my development boxes are on 10.100.1.x I have been using another router to separate them in the past but now moved to pfsense.
I am going to apply this same setup in the datacenter since we need to downsize the rack for the production enviroment. This will not have another ISP router / local ip address as the WAN but a live public IP out to the internet.
I wanted to get to grips with PfSense at home before I did this, will look at how the any/any rules work since I do not want other public IP in the datacentre being able to access the LAN which sounds like what the any/any rules does… more reading up needed by the sounds of it! :-) Any tips you have would be great for this kind of application.
-
"I do not want other public IP in the datacentre being able to access the LAN which sounds like what the any/any rules does"
No that is not what any any rules does on LAN… Any any rule on lan allows the lan of pfsense to go anywhere it wants. There is no such rule on the WAN.. So unsolicited traffic inbound to your WAN would not be able to go anywhere..
-
Excellent exactly what I need :-) Many thanks for your help.
