Blocking general access to Internet except for 4 or 5 sites
-
Hi all,
First off, i want to thank all the pfsense developers for saving my neck. My company transitioned from two t-1s to 10MB fiber connections with burst rates up to 100+MB. My old firewall was simply not able to keep up with these faster connections over two WAN ports, so after a week of trying to figure out what was going on we repurposed a dell server we were going to retire and installed pfsense, mostly out of desperation. Throughput went from 30-40MB to 70+MB. Now all is good, and I will probably purchase a support package in the new year as a big fat thank you!
Now my question. My old firewall had a built in content filter, so i am not used to restricting Internet access based on firewall rules alone. I have 4 PC's that only need access to a few websites out the WAN1 interface, and full access to a hosted application out the opt1 (WAN2) interface, which is really a private line.
I created an alias for the 4 "source" PC's. Under the LAN tab, I created a a few allow rules using the alias as the source, the IP address of the allowed website as the the destination, source port "any, destination ports "http" and "https." I followed these by a block rule using the alias as the source, "any" as the destination, and "any" as the source and destination ports with logging enabled for testing purposes. All of this preceded the default "allow all" LAN rule. I was getting the expected block messages in the firewall log, but the I was still able to freely browse to any website from any of the four "restricted" pc's. Any ideas of what I did wrong?
-
I tried with following rules (below picture)
After that I did Diagnostics -> States -> reset states and rebooted client pc. then I can only access allowed sites.
-
I take it the "reset states" was the step I missed? Forgive my ignorance, but why is this necessary? Anyways, I will remote in tonite after closing hours and try again.
Thx!
-
It's only to be sure that no already established connection will fool me, think of it as a DNS cache issue :)
-
Ok, here is the rule set on my LAN interface:
# Proto Source Port Destination Port GW
1 > * CircDesks * SCLS172HOSTS * *
2 > * CircDesks * CSWhitelist * *
3 > * CircDesks * LAN Net * *
4 X TCP CircDesks * * 80-443 *
5 > * LAN Net * * * *Rule 1 is a pass rule to allow CircDesks (alias for 4 IPs) access to remote hosts out WAN2 via a static route.
Rule 2 is a pass rule to allow CircDesks access to approved Internet (WAN1) Whitelist alias
Rule 3 is a pass rule to ensure Circdesks have access to all hosts on LAN (is this even necessary?)
Rule 4 is a block rule to prevent Circdesks from accessing any other website on Internet
Rule 5 is the default allow all from LAN Net
Does this look ok? I am going to enable these rules tonite and reset the state table and test.
thx!
-
1. No sure, but I would have changed GW to WAN2
2. ok
3. LAN addresse ( for access to DNS forwarder etc)
4. ok
4. ok -
Hey,
thx for the responses.
Regarding rule 1, I left gw to "any" because of the static route I have that forwards all 172.X bound traffic out the WAN2 Interface.
Regarding rule 3, not sure what you mean - LAN Net is not an alias, but the destination choice in the pfsense drop down menu - I want not able to enter in an actual subnet.
thx again!
-
but the destination choice in the pfsense drop down menu
So is Lan address (see the first rule on picture)
As your already are on Lan Net you only need access to services on pfSense -
Thx for your help Perry - things seems to be working as expected. Bit of a pain tho - had to monitor the block logs to figure out why some o the whitelisted sites were loading slowly. had to track down and allow all the embedded crap (verisign,etc) But all is good now.
pfsense rocks!