Allow subnet A to initiate connections to subnet B, but not the other way around

  • Okay, so I have a small ESXi home server on which I run pfSense with a few Internet accessible VMs on it.
    Right now the public VMs are on a fully isolated network from my LAN and can only go to the internet.

    However I would want to be able to initiate connections from the PC to the VM for faster local uploads, but not have it the other way around. Like below.

    I know this is possible to do with states in iptables, but I was not able to find an equivalent in pfSense.
    Can anyone point me in the right direction?

  • LAYER 8 Netgate

    Sure. Don't pass connections to LAN on Public VMs interface.

  • LAYER 8 Global Moderator

    Post up your public VMs interface firewall rules on pfsense, and your Lan rules and we can discuss.  But as Derelict stated already its simple rule on the publicVM rules to block them from starting conversations with LAN network.. If you allow LAN to talk to publicVMs network on the lan rules or have a ANY rule then they would be able to start conversations with the devices on that network and either upload or download stuff, etc.

  • Huh, coming from DD-WRT and iptables where I had to fiddle around with the firewall script and RELATED, ESTABLISHED states, I expected it would be more difficult.
    It's nice to see pfSense is smart to keep track of connections under the hood.

    Anyway, here are the firewall screenshots if anyone else will seek such a configuration in the future.

    Thanks, Derelict and johnpoz!

  • Your first rule under LAN is unnecessary since the rules below it will pass all traffic to anywhere.

  • LAYER 8 Global Moderator

    Also your blocking access to the firewall will prevent it from using pfsense as dns.  Are you public VMs pointing to something else for dns?

    On my more restrictive vlans..  I normally allow access to ping the pfsense interface for simple connectivity check.  And allow dns to the pfsense interface in that vlan to allow them to use pfsense as dns.  Then the block all to this firewall rule.

    Your rules are fine if you really don't want those vms to even be able to ping or use pfsense as dns.

  • Ah, thanks for the tip, I removed that rule now.

    And yeah, I usually just put Google DNS in resolver.conf of all my servers. I guess for troubleshooting it could be useful to be able to ping the pfSense interface, I might switch to just blocking an alias of ports 22 and 80 from the VM subnet.

    Again thanks for the help guys, I'm really loving pfSense so far and the community as well! :D

  • LAYER 8 Global Moderator

    "I usually just put Google DNS in resolver.conf of all my servers."

    Why not point to pfsense, would be running a resolver out of the box.  So now you get advantage of dnssec…  And your local devices could resolve themselves by name, and you would have a local cache that all your machines could use.

    This way device 1 looks up www.domain.tld, when device 2 goes to look it up few minutes/seconds later - don't have to go out to the public to find the info from googledns again.  Its local cached on pfsense.

  • I suppose I could do that, I'll add a rule for the DNS port the next time I'll be messing with it.

Log in to reply