Firewall Rule Help



  • I have a device with 3 ports configured:  WAN (static public IP w/ 500Mbps fiber), LAN1 (192.168.10.1), and LAN2 (192.168.20.1).  LAN1 and LAN2 both need internet access.  LAN1 needs to access devices on LAN2 (specifically 192.168.20.4 which is the DVR).  LAN2 should not be able to access devices on LAN1.

    Here are my rules:  (I'll edit until they are readable.  Not sure how to get them to display nicely.)

    WAN:

    
    	ID 	Proto 	Source 				Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
    Blck	  	* 	RFC 1918 networks 		* 	* 		* 	*	 	* 	  		Block private networks
    Blck	  	* 	Reserved/not assigned by IANA 	* 	*	 	* 	* 		* 	* 		Block bogon networks
    
    

    LAN1:

    
    	ID 	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
    Pass	  	* 	* 	* 	LAN1 Address 	80 9022	*		* 	  		Anti-Lockout Rule
    Blck	  	IPv4*	LAN2net	* 	LAN1 net 	* 	* 		none 	  		Block LAN2
    Pass	  	IPv4* 	LAN1net	* 	* 		* 	* 		none 	  		Default allow LAN1 to any rule
    Pass	  	IPv4* 	* 	* 	192.168.20.4 	* 	* 		none 	  		DVR 
    
    

    LAN2:

    
    	ID 	Proto 	Source 		Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
    Pass	  	IPv4*	LAN2net		* 	* 		* 	* 		none 	  		Default allow LAN2 to any rule  
    Pass	  	IPv4*	LAN1net		* 	* 		* 	* 		none 	  		LAN1 Connection 
    Pass	  	IPv4*	192.168.20.4 	* 	* 		* 	* 		none 	  		Allow All  
    
    

    I know it isn't right since LAN2 has access to LAN2 but when I try to set it up the right way LAN2 doesn't get any internet access.  What changes can I make so that LAN1 and LAN2 can get out to the internet and LAN1 has access to LAN2 but LAN2 doesn't have access to LAN1?  Thanks for any help!

    Edit:  Hope it's readable now!



  • Firwall rules are applied on the incoming interface. So a rule with source = LAN2net on LAN1 interface will not have any effect.

    Your rule set may look like this way:

    LAN1:

    
              ID       Proto       Source     Port     Destination       Port       Gateway        Queue       Schedule        Description
    Pass               *           *          *        LAN1 Address      80 9022    *              *                           Anti-Lockout Rule
    Pass               IPv4*       LAN1net    *        192.168.20.4      *          *              none                        DVR
    Block              IPv4*       *          *        RFC1918           *          *              none                        Block internal networks
    Pass               IPv4*       LAN1net    *        *                 *          *              none                        Default allow LAN1 to any rule
    
    

    LAN2:

    
              ID       Proto       Source     Port     Destination       Port       Gateway        Queue       Schedule        Description
    Block              IPv4*       *          *        RFC1918           *          *              none                        Block internal networks
    Pass               IPv4*       LAN2net    *        *                 *          *              none                        allow Internet
    
    

    RFC1918 is an alias which includes all RFC 1918 networks. This will still be save if you add an additional private network in the future.



  • Interesting.  I didn't know about using RFC1918 as an alias to block internal networks.  I tried just using * but it didn't do what I wanted.  I'll give it a shot.

    Edit:  Using RFC1918 results in an error of "RFC1918 is not a valid destination IP address or alias."  Is it an alias I need to create?



  • Make your own similar alias using:

    RFC1918
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16
    127.0.0.0/8



  • @KOM:

    Make your own similar alias using:

    RFC1918
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16
    127.0.0.0/8

    Thanks.  I'd created an alias with just the 192.168.0.0/16 but you're right that it's a good idea to have them all in there.  Thanks!

    Edit:  Wouldn't we then be saying to block even the subnet that it is on?  You're saying to block anything from that subnet going to a private IP of any subnet (including its own) then block it.  Would I then need a rule that says to allow from the LAN2 Net to LAN2 Net above the RFC1918 rule on the LAN2 Interface?  Like:

    
    	ID 	Proto 	Source 		Port 	Destination 	Port 	Gateway 	Queue 	Schedule 	Description
    Pass	  	IPv4*	LAN2net		* 	LAN2Net 		* 	* 		none 	  	Allow subnet to communicate on port
    


  • Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all.  pfSense and the pf firewall only come into play when the traffic is leaving the network for another.



  • @KOM:

    Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all.  pfSense and the pf firewall only come into play when the traffic is leaving the network for another.

    OK.  So it only affects if it goes across from one interface to another.  I thought the inspection happened as the packet was received.



  • Hosts on the same subnet can find each other and talk to each other without needing a gateway.  The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.



  • @KOM:

    Hosts on the same subnet can find each other and talk to each other without needing a gateway.  The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.

    What about logging into the router?  If I'm at 192.168.20.2 and the Router is 192.168.20.1 and I'm blocking all private traffic, wouldn't that request to connect to the router be rejected?



  • That is what the "Anti-lockout rule" on LAN interface is for. As you have activated "Anti-lockout" in the System > Advanced > Admin access this rule is set and you can't delete it from the rule set.

    So logging in to the Web-GUI is only possible from LAN network. If you want to restrict the access to only one or a few source IPs you have to create your own anti-lockout rule and remove the check from Anti-lockout.



  • Got it.  Thanks.  Looking back at the things I was doing wrong, it seems I was setting the right rules on the wrong interfaces or specifying the wrong interface source.  Thanks for all the help.