Questions on Security Strength of My pfSense Firewall, DMZ Network and IPsec VPN



  • I have just setup my computer network with pfSense firewall according to the network topology diagram below.

    My pfSense firewall appliance is acting as the DHCP server and IPsec VPN server for mobile road warrior clients. It has three Gigabit network interfaces, namely WAN (em0), LAN (re0), and DMZ (re1). The purpose of the DMZ network is to host all the servers while all the client machines are connected to the LAN network.

    My security policies are defined as follows:

    (1) All incoming connections from the internet are blocked, but of course pfsense firewall automatically add rules for IPsec VPN and NAT-T to work.

    (2) All the clients on the LAN network are allowed to access the internet.

    (3) SSH connections from the LAN network to the pfsense firewall are blocked.

    (4) All the clients on the LAN network are allowed to access the pfsense web GUI.

    (5) All the clients on the LAN network are allowed to access the DMZ network.

    (6) All the servers on the DMZ network are allowed to access the internet.

    (7) SSH connections from the DMZ network to the pfsense firewall are blocked.

    (8 ) Servers on the DMZ network are not allowed to access the pfsense web GUI.

    (9) Servers on the DMZ network are not allowed to access the LAN network. (segregation)

    (10) IPsec VPN mobile clients can only access the DMZ network and NOT the LAN network. (segregation)

    (11) Mobile clients connected through IPsec VPN are allowed to access the internet.

    (12) SSH connections from IPsec VPN mobile clients are not allowed to access the pfsense firewall.

    (13) Mobile clients connected through IPsec VPN are not allowed to access the pfsense web GUI.

    My questions are as follows:

    (1) I have a wireless Access Point (AP) with the IP address 192.168.2.2 in the DMZ network. All the wireless clients access the internet through the DMZ network. I can ping the DMZ interface 192.168.2.1 and a Linux machine in the DMZ network from the LAN network. But why can't I access the wireless AP web GUI from the LAN network? I can only access the wireless AP web GUI when I join the DMZ network. Is it because of some access controls on my wireless AP or missing pfsense firewall rules restricting access to the wireless AP web GUI from the LAN network?

    (2) My mobile road warrior IPsec VPN clients can access the internet through their own ISP but not the ISP of the pfsense firewall. How can I configure the pfsense firewall such that the mobile IPsec VPN clients can access the internet through the ISP of the pfsense firewall, according to the screenshots below?

    (3) Are my computer network and pfsense firewall secure based on the pfsense firewall rules configured in the screenshots below?

    (4) Is any one of the above 13 security policies not being enforced when examining the pfsense firewall rules in the screenshots below?

    Please advise.

    Thank you very much.

    Mr. Turritopsis Dohrnii Teo En Ming
    Singapore

    Network Topology Diagram:

    https://i.imgur.com/EZk9Fka.jpg

    pfSense Firewall Configuration Screenshots:

    https://i.imgur.com/jX3fyuk.png

    https://i.imgur.com/mGtcrDT.png

    https://i.imgur.com/M7xJSOe.png

    https://i.imgur.com/6gyW9nK.png

    https://i.imgur.com/w74liCi.png

    https://i.imgur.com/hOp3b4b.png

    https://i.imgur.com/ijITIj0.png

    https://i.imgur.com/8vS4WLH.png

    https://i.imgur.com/I7Bgayb.png

    https://i.imgur.com/JPEwkqx.png

    https://i.imgur.com/L3cZrb4.png

    https://i.imgur.com/u0ePiYS.png

    https://i.imgur.com/8sn9m7p.png

    https://i.imgur.com/Hh6wsMo.png

    https://i.imgur.com/WxMPMxm.png

    https://i.imgur.com/gKLPaCX.png

    https://i.imgur.com/it3Lcsb.png

    https://i.imgur.com/7kRwiwl.png

    https://i.imgur.com/iZFx8gT.png

    https://i.imgur.com/1tb10rf.png

    https://i.imgur.com/7WloaKx.png

    https://i.imgur.com/UYYt4NF.png

    https://i.imgur.com/QEA0Ati.png

    https://i.imgur.com/Dw4JxXu.png

    https://i.imgur.com/iSKD5C4.png


  • Galactic Empire

    @Teo:

    (1) I have a wireless Access Point (AP) with the IP address 192.168.2.2 in the DMZ network. All the wireless clients access the internet through the DMZ network. I can ping the DMZ interface 192.168.2.1 and a Linux machine in the DMZ network from the LAN network. But why can't I access the wireless AP web GUI from the LAN network? I can only access the wireless AP web GUI when I join the DMZ network. Is it because of some access controls on my wireless AP or missing pfsense firewall rules restricting access to the wireless AP web GUI from the LAN network?

    You'll need a static route on the AP for the 192.168.1.0/24 network to point via 192.168.2.1, pfSense will allow traffic from the DMZ network to the LAN if the originating packet came from the LAN and the LAN has an ANY rule.


  • Galactic Empire

    @Teo:

    (2) My mobile road warrior IPsec VPN clients can access the internet through their own ISP but not the ISP of the pfsense firewall. How can I configure the pfsense firewall such that the mobile IPsec VPN clients can access the internet through the ISP of the pfsense firewall, according to the screenshots below?

    VPN -> IPsec -> Mobile Clients -> Edit -> Phase 2

    Try changing Local Network to network and set the address to 0.0.0.0/0



  • @NogBadTheBad:

    @Teo:

    (1) I have a wireless Access Point (AP) with the IP address 192.168.2.2 in the DMZ network. All the wireless clients access the internet through the DMZ network. I can ping the DMZ interface 192.168.2.1 and a Linux machine in the DMZ network from the LAN network. But why can't I access the wireless AP web GUI from the LAN network? I can only access the wireless AP web GUI when I join the DMZ network. Is it because of some access controls on my wireless AP or missing pfsense firewall rules restricting access to the wireless AP web GUI from the LAN network?

    You'll need a static route on the AP for the 192.168.1.0/24 network to point via 192.168.2.1, pfSense will allow traffic from the DMZ network to the LAN if the originating packet came from the LAN and the LAN has an ANY rule.

    Thank you NogBadTheBad! It works!

    I have already added a static route in my wireless AP connected to my DMZ interface.

    Destination Network: 192.168.1.0
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.2.1



  • @NogBadTheBad:

    @Teo:

    (2) My mobile road warrior IPsec VPN clients can access the internet through their own ISP but not the ISP of the pfsense firewall. How can I configure the pfsense firewall such that the mobile IPsec VPN clients can access the internet through the ISP of the pfsense firewall, according to the screenshots below?

    VPN -> IPsec -> Mobile Clients -> Edit -> Phase 2

    Try changing Local Network to network and set the address to 0.0.0.0/0

    Would that allow mobile IPsec VPN clients to access my LAN network as well? Because I want to restrict mobile IPsec VPN clients to accessing only the DMZ network.

    Thank you.


  • Galactic Empire

    @Teo:

    @NogBadTheBad:

    @Teo:

    (2) My mobile road warrior IPsec VPN clients can access the internet through their own ISP but not the ISP of the pfsense firewall. How can I configure the pfsense firewall such that the mobile IPsec VPN clients can access the internet through the ISP of the pfsense firewall, according to the screenshots below?

    VPN -> IPsec -> Mobile Clients -> Edit -> Phase 2

    Try changing Local Network to network and set the address to 0.0.0.0/0

    Would that allow mobile IPsec VPN clients to access my LAN network as well? Because I want to restrict mobile IPsec VPN clients to accessing only the DMZ network.

    Thank you.

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    It passes all traffic from the client across the VPN.

    You'll need firewall rules on the  IPsec interface to block access to your LAN.

    Give it a go and see what you can / can't access :)



  • Shrew Soft VPN Client Configuration Screenshots:

    1.

    2.

    3.

    4.

    5.

    6.

    7.

    8.

    9.

    10.

    11.

    12.



  • @Teo:

    @NogBadTheBad:

    @Teo:

    (1) I have a wireless Access Point (AP) with the IP address 192.168.2.2 in the DMZ network. All the wireless clients access the internet through the DMZ network. I can ping the DMZ interface 192.168.2.1 and a Linux machine in the DMZ network from the LAN network. But why can't I access the wireless AP web GUI from the LAN network? I can only access the wireless AP web GUI when I join the DMZ network. Is it because of some access controls on my wireless AP or missing pfsense firewall rules restricting access to the wireless AP web GUI from the LAN network?

    You'll need a static route on the AP for the 192.168.1.0/24 network to point via 192.168.2.1, pfSense will allow traffic from the DMZ network to the LAN if the originating packet came from the LAN and the LAN has an ANY rule.

    Thank you NogBadTheBad! It works!

    I have already added a static route in my wireless AP connected to my DMZ interface.

    Destination Network: 192.168.1.0
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.2.1

    Hi!

    After I added the above static route in my wireless AP in the DMZ network, my mobile IPsec VPN clients can no longer access the DMZ network any more.

    It is only after I have removed all static routes in my wireless AP that mobile IPsec VPN clients are able to access the DMZ network.

    What should I do???????


  • Galactic Empire

    Did you add the firewall rule ?

    If you did try changing it to an any any rule and does it then work?

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Add_Firewall_Rules_for_IPsec

    TBH I just followed https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and it worked, I then tweaked my settings to suit what I wanted after.


Log in to reply