Best way to isolate an IP from everything BUT the internet

ice_mf_mike

Hello,

Trying to figure out the best way to have my IoT devices segmented. What is the easiest method? If just using a firewall, would i create a deny rule and then a pass rule from the lan to the wan interface? What about if i went the vlan route?

My network is setup as a double Nat. See attached.

Thanks!

lcobYBf.png_thumb

Derelict

Create another interface. VLAN or physical.

Put your IoT devices on that.

Pass the local traffic they need access to (DNS resolver, etc)
Block the traffic you do not want them to have access to (LAN Net, This Firewall etc.)
Pass traffic to any (The Internet is not destination WAN net it is destination any.

Something like the attached. You might be able to get away with defining an RFC1918 alias instead of local nets containing 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8. You will likely need to maintain an alias of local IPv6 you wish to block though as those are generally all routable addresses.

If you wish to keep them on the same subnet, you would need your switch to isolate the ports. Many can do so. That must be done in the switch since same-subnet traffic is not routed so the firewall never even sees it.

![Screen Shot 2017-08-06 at 2.26.11 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-06 at 2.26.11 PM.png)
![Screen Shot 2017-08-06 at 2.26.11 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-06 at 2.26.11 PM.png_thumb)

ice_mf_mike

ahh so i cant do this in pfsense. I HAVE to do it in the switch if i want to keep it on the same subnet?

I was thinking this might work to block 10.0.1.2 from everything but the internet but it does not. Maybe i will try the vlan option. WHen you say create another interface, would that require more ports on the pfsense? Or is this more virtual?

Thanks.

![ss firewallrules.png](/public/imported_attachments/1/ss firewallrules.png)
![ss firewallrules.png_thumb](/public/imported_attachments/1/ss firewallrules.png_thumb)

SammyWoo

^What he says.

Why bother with rules, taking up more cpu bandwidth and complicate your rules table when you can do this at the hardware level.

Derelict

Same subnet traffic is not processed by the firewall at all. This is fundamental IP networking/routing.

You can create a VLAN on the existing interface and set it to tagged on the switch.

If igb1 goes to the switch:

Create VLAN 20 on igb1 Interfaces > Assignments, VLANs

Interfaces > Assignments and create new OPTX interface using VLAN 20 on igb1

Edit the interface, enable it, number it, enable a DHCP server for it, etc.

Create a pass any any firewall rule on OPTX

Tag VLAN 20 on the switch port going to igb1

Put a switchport untagged on VLAN 20

Connect a test device to it. Be sure you get an address in the correct scope, can get out to the internet, etc.

Tighten the firewall rules as described above.

ice_mf_mike

@Derelict:

Same subnet traffic is not processed by the firewall at all. This is fundamental IP networking/routing.

You can create a VLAN on the existing interface and set it to tagged on the switch.

If igb1 goes to the switch:

Create VLAN 20 on igb1 Interfaces > Assignments, VLANs

Interfaces > Assignments and create new OPTX interface using VLAN 20 on igb1

Edit the interface, enable it, number it, enable a DHCP server for it, etc.

Create a pass any any firewall rule on OPTX

Tag VLAN 20 on the switch port going to igb1

Put a switchport untagged on VLAN 20

Connect a test device to it. Be sure you get an address in the correct scope, can get out to the internet, etc.

Tighten the firewall rules as described above.

Ok i have a new inteface for vlan on opt1. But i dont see an option to enable dhcp for that interface. On the interfaces page i do have dhcp enabled.

ssdchp.png_thumb

Derelict

Services > DHCP Server

I didn't outline every click necessary.

ice_mf_mike

@Derelict:

Services > DHCP Server

I didn't outline every click necessary.

Yes, my screenshot was from that page. It only gives me the option to adjust the LAN interface.

Derelict

Then you hosed up the numbering of the new OPTX interface. You probably set a /32 netmask there.

ice_mf_mike

@Derelict:

Then you hosed up the numbering of the new OPTX interface. You probably set a /32 netmask there.

I used a /24.

Any other ideas?

827ABEBF-C12C-4A0C-908E-71AFE16E8BCA.png_thumb

Derelict

You need to statically set annb address on the new interface to the new subnet you want on that interface. Do it just like LAN.

ice_mf_mike

@Derelict:

You need to statically set annb address on the new interface to the new subnet you want on that interface. Do it just like LAN.

So you mean i should use /32?

Derelict

No.

You are making a new subnet on a new interface. You need to number the interface then create a DHCP server.

Example interface configuration attached.

screenshot-2018-04-07-16-00-28.png_thumb

ice_mf_mike

@Derelict:

No.

You are making a new subnet on a new interface. You need to number the interface then create a DHCP server.

Example interface configuration attached.

Thanks! The static ip did the trick. Ok. So i have the opt interface configured. DHCP configured. the computer plugged into the opt1 port on the sg-3100. But it will not pull an IP address. Static does not allow it to connect to anything either.

Any ideas?

![ss opt1.png](/public/imported_attachments/1/ss opt1.png)
![ss opt1.png_thumb](/public/imported_attachments/1/ss opt1.png_thumb)
![dhcp ss.png](/public/imported_attachments/1/dhcp ss.png)
![dhcp ss.png_thumb](/public/imported_attachments/1/dhcp ss.png_thumb)

firewallss.png_thumb

Derelict

Did you make a VLAN or not?

When the device is connected to the port does the status go to up in Status > Interfaces?

You have protocols TCP and UDP on your firewall rule. That will not pass pings, for instance. Change that to protocol any unless you can articulate why you need just TCP/UDP.

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

ice_mf_mike

@Derelict:

Did you make a VLAN or not?

When the device is connected to the port does the status go to up in Status > Interfaces?

You have protocols TCP and UDP on your firewall rule. That will not pass pings, for instance. Change that to protocol any unless you can articulate why you need just TCP/UDP.

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

Yes i made a VLAN when first started. Used 320 as the ID. Also the interface shows as up.

vlanss.png_thumb

Derelict

Then you have to tag the traffic with VLAN ID 320. You mighht be able to do that in the NIC settings on your computer, but it would probably be easier to connect it to a switch that is configured for TAGGED VLAN 320, then connect your test device to a port on the switch that is UNTAGGED for VLAN 320.

ice_mf_mike

@Derelict:

Then you have to tag the traffic with VLAN ID 320. You mighht be able to do that in the NIC settings on your computer, but it would probably be easier to connect it to a switch that is configured for TAGGED VLAN 320, then connect your test device to a port on the switch that is UNTAGGED for VLAN 320.

Im using a SG-3100. How can i do that with this hardware?

Derelict

Post your Interfaces > Assignments screen

And Interfaces > Switches, Ports

And Interfaces > Switches, VLANs

ice_mf_mike

@Derelict:

Post your Interfaces > Assignments screen

And Interfaces > Switches, Ports

And Interfaces > Switches, VLANs

posted. Thanks again for the help here.

ports.png_thumb

vlans.png_thumb
![interface assignments.png](/public/imported_attachments/1/interface assignments.png)
![interface assignments.png_thumb](/public/imported_attachments/1/interface assignments.png_thumb)