Invert match doesn't work
-
Thanks to you both!!
Could you show me an example how to in the rules?
Cheers Qinn
-
^yup that is what I have exactly
I now have this, I have only allowed port 53 on the gateway, this seems enough. Maybe a stupid question, but why don't it need an open port on dhcp, orto rephrase that why does it get an IP address?
-
When you enable dhcp server, pfsense creates rules that are not shown in the gui. There are a few rules like this.
Here is the thing if they didn't auto create the dhcp rules - every other day there would be a question about dhcp not working.. Did you create the firewall rules, lets see them because 999.99999 out of 100 you did it wrong ;)
If you are wanting to block guests to all things yours. Is your wan public or rfc1918? Since your guest could hit your gui via the wan IP coming from the "lan" side like they are.. This is the good use of "this firewall" built in alias. This is any IP the firewall has.
I personally would allow ping to the pfsense address, so you can validate your guest can talk to pfsense.. And you sure you want guest to only have tcp outbound? So you don't want them to be able to ping anything out on the internet or use udp?
-
When you enable dhcp server, pfsense creates rules that are not shown in the gui. There are a few rules like this.
Here is the thing if they didn't auto create the dhcp rules - every other day there would be a question about dhcp not working.. Did you create the firewall rules, lets see them because 999.99999 out of 100 you did it wrong ;)
If you are wanting to block guests to all things yours. Is your wan public or rfc1918? Since your guest could hit your gui via the wan IP coming from the "lan" side like they are.. This is the good use of "this firewall" built in alias. This is any IP the firewall has.
I personally would allow ping to the pfsense address, so you can validate your guest can talk to pfsense.. And you sure you want guest to only have tcp outbound? So you don't want them to be able to ping anything out on the internet or use udp?
Aha, I did not know that about port 67 (DHCP), it seems logic.
I don't understand what you mean here "Is your wan public or rfc1918?" could you explain a bit more? Although, I don't understand it Yet, I think I have added that rule, I choose a reject or would you advise a block?
-
"Is your wan public or rfc1918?" could you explain a bit more?"
Huh? How is it you just created a alias for rfc1918 space but you do not know what it is?
If your wan starts with 10.x or 172.16-31.x or 192.168.x then its rfc1918 and your alias rule would block all access. If it was public say 62.14.45.x then your rule would not block it and your allow on the bottom would users hit your wan IP, ie the gui or ssh etc. from this network.
Rules are evaluated at they enter a interface, top down first rule to trigger wins, no other rules are evaluated. So while default on wan is deny - that is when your coming from the WAN direction towards pfsense. If your behind pfsense you can hit that IP all day long on any service listening on it. This is where the "this firewall" rule alias comes in handy. For example maybe you want opt1 net to go to your lan net to get to stuff. But you don't want opt1 net to be able to get to the web gui on the lan IP..
-
That rule will not block access to the internet even if the WAN is RFC1918-addressed. It would block access to the things on WAN net like the ISP gateway in that case.
-
"Is your wan public or rfc1918?" could you explain a bit more?"
Huh? How is it you just created a alias for rfc1918 space but you do not know what it is?
Well I know what RFC1918 means (private subnets), but I don't understand that a WAN could be part of that? To my best of my knowledge, WAN always means not private subnet. So I hope you can provide me with an practical example so I can understand it.
I also still don't understand that my xDSL modem has a RFC1980 address and is accessible as it is on the WAN side, but it works.
LAN–--------------WAN---------------xDSLModem (Draytek 130 in PPPoA to PPPoE bridge mode)
192.168.1.x 83.161.x.x 192.168.100.1 -
That rule will not block access to the internet even if the WAN is RFC1918-addressed. It would block access to the things on WAN net like the ISP gateway in that case.
Hmmm, trying to grasp that one…
-
That rule will only block packets that has a destination matching a RFC1918 address.
The internet is "everything but RFC1918" , so no destination match.Rules matches an (end) destination.
/Bingo
-
"WAN always means not private subnet"
Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.
There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat. Your behind your isp router that does not allow bridge mode and so your behind a double nat. Pfsense is just a downstream router in a larger network, etc..
My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.
Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your.. Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.
-
That rule will only block packets that has a destination matching a RFC1918 address.
The internet is "everything but RFC1918" , so no destination match.Rules matches an (end) destination.
/Bingo
Thanks!
-
"WAN always means not private subnet"
Wan is just something that is not local to you - ie the internet is a wan, your wan side connection to the internet is just your transit network to networks other than your local networks.
There are many reasons why your wan IP could be rfc1918.. your ISP is doing carrier grade nat. Your behind your isp router that does not allow bridge mode and so your behind a double nat. Pfsense is just a downstream router in a larger network, etc..
My point was if you don't want users on that network to be able to get to web gui, you would need to block your wan IP if it was public - if your wan was rfc1918 then your rule would block that access as well.
Seems users have a real problem with what a wan actually is - all your wan network is the transit network to networks that are not your.. Putting rules like blocking access or allowing access to wan net is just that that actual network be it some rfc1918 because your behind a nat router or carrier grade nat or be a public segment that can route on the network and is just some segment off the ISP network, etc.
Thanks, for explaining it!
What I also would like to know is, why does anyone who only wants to, lets say guests, give access to the internet, do it like, block everything and as a last rule grant access to everywhere.
Why not, as in pfSense by default everything is blocked (apart from port 67 DHCP), only grant access to the internet?
-
Huh?? Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.
Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule. But if you create new networks you would have to put in the rules you want. But the internet is made up of lots of networks.. As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc. But in general if not rfc1918 space its the "internet"
There are many protocols on the internet not just tcp, udp and icmp.. You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule. You can always limit that how you see fit.
How exactly would you create dest that was "internet"?? It really could be anything.
-
In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.
Huh?? Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.
Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule. But if you create new networks you would have to put in the rules you want. But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc. But in general if not rfc1918 space its the "internet"
There are many protocols on the internet not just tcp, udp and icmp.. You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule. You can always limit that how you see fit.
How exactly would you create dest that was "internet"?? It really could be anything.
Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.
-
In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.
Huh?? Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.
Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule. But if you create new networks you would have to put in the rules you want. But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc. But in general if not rfc1918 space its the "internet"
There are many protocols on the internet not just tcp, udp and icmp.. You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule. You can always limit that how you see fit.
How exactly would you create dest that was "internet"?? It really could be anything.
Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.
The guest net is the network attached to the guest interface.
The WAN net is the network attached to the WAN interface.
–> Not the internet. -
The guest net is the network attached to the guest interface.
The WAN net is the network attached to the WAN interface.
–> Not the internet.–-> Not the internet :o , do you mean the ISP and where is it (meaning the internet) then connected to?
-
The internet is mostly the inverse of RFC1918:
All subnets which are not private.
There are some other special cases like RFC3927 (169.254/16)
Take a look at https://en.wikipedia.org/wiki/IPv4#Special-use_addresses.When you create a rule with as destination "WAN net" then it means exactly that:
The network between you and your ISP.
Generally not what you want.When you mean "the internet", you usually mean "any".
-
The WAN network is the directly connected network segment that is reachable from the WAN interface via ARP (hosts that are in the same broadcast domain talk to each other with the assistance of ARP), that's the simplest way to put it. In other words connections to that network segment from the WAN interface on pfSense can be done without the assistance of the gateway (the default gateway of pfSense) on the WAN network.
You have to grasp what a connection means in internet terms. It's simply one or more IP packets sent from sending host to a destination address and the destination address in the IP packets (also source address if desired) is what pfSense uses for filtering. What is used as the transport (routers etc.) between the sending host and the destination address doesn't matter for the firewall rules, that information is not available for filtering on pfSense, all filtering is done based on the information available in the IP headers of the IP packets flowing trough the filtering engine.
-
Aha, thanks to you both for explaining that to me, the concept WAN not being Internet was never clear to me.
-
Back on topic, I still don't understand what is wrong (as I can't believe inverted rule are broken).
I added my rule set on the WLAN interface and have logging enabled first with the inverted rule enabled and the log file that confirms a user passing from WLAN to LAN (192.168.5.46 to 192.168.1.1), which I do not understand and to the best of my knowledge should be possible with the inverted rule enabled.
Then just as a check I disable the inverted rule and as you can see access to the LAN is blocked?Again thanks for any help advise on this,
Cheers Qinn
