How do I isolate networks with Squid, Services still being Resolved
-
Hi, I have been scratching my head on this for a few weeks. I have a personal web server that host things like Nextcloud. I have recently decided to isolate my vlans from seeing each other. Here are the vlan labels
Cameras
Video
Beta
Web_ServerRight now I have been able to isolate Cameras and Video from Web_Server, but Beta is still able to access Nextcloud. Here are the overview of rules
Cameras: pass rules
Cameras net to Cameras Address DNS
Cameras_Net to Cameras Net
Camera: Block Rules
anywhere to Isolate_Cameras Alias
anywhere to anywhereVideo: pass rules
Video net to Video address DNS
Video net to Video address NTP
Video: block rules
Video net to anywhere DNS
Video net to RFC1918 Alias
Video: pass rules
Video net to anywhereBeta:pass rules
Beta net to Beta address DNS
Beta net to Beta address ICMP
Beta net to Beta net Allowed between clients (Alias Ports)
Beta net to !Local Subnets Allowed Out (Alias Ports)
Beta net to Beta Address Allowed to pfsense (Alias Ports)
Beta:block rules
Beta to Isolate_Beta
Beta net to anywhere DNS
Beta net to anywhere NTP
Beta net to anywhereI am running squid on BETA
Also in my logs I do see ssh and things like that being blocked by my isolate_network rules, but when I access my nextcloud server through a web browser it is not blocked. -
Post screens of your rules instead of text about what you think they're doing.
-
Here are screenshots of what I have going on, it might not be correct and if you guys see anything that is weird please let me know.
-
Your rules on BETA look OK although I don't know what in the alias Local_subnets. One thing to point out is that you don't need those explicit block rules at the bottom. The rules are processed top-down, first-match wins (floating rules are slightly different). At the bottom, there is a hidden Deny All rule, so traffic that isn't passed by a preceding allow rule is blocked automatically.
Lastly, the addition of a firewall rule will not block traffic if an existing state is already present. So when you are playing with your rules, make sure you go to Diagnostics - States and clear any established states that match that traffic/rule.
-
local_subnets are the vlans, Cameras, Video, Beta, Web_Server and VPN. I was holding onto explicitly stating the deny rule so I could log traffic as I was diagnosing problems. I did clear the states and reboot the router, but with Beta I am still able to access the web server with its clients (android, linux) as well as the web browser. I can not how ever ssh into it which shows that the isolate_beta rule is working to block ssh, but not the other items.
-
Oh also here are my switch settings
-
Hmm, looks OK.
Why is you 10.10.10.0 network a /27?
I've seen funny things with the negate operator. Instead of allowing to NOT Local, flip it around. Block access to local and then allow all else.
-
I removed the 10.10.10.0 network it was a mistake, I just hadn't removed it. I do know what you mean about the inverted settings they can work in strange ways sometimes. I did change that. My server is still being resolved using the beta network. I just wish I could figure out what is passing the traffic. I the only traffic I see being generated when I refresh the page is the device to squid.
-
My ultimate goal was to work on a DMZ for the webserver, that's what starts this project.
-
Ok working a little more on this today. I found a similar thread that had a solution that worked for them but it is not working for me.
https://forum.pfsense.org/index.php?topic=81331.15I also saw another thread which I can not find now talking about the machines address changing when it passes through squid.
Device ip changes to pfsense address port 3128So here are some relevant settings of my squid configuration after I had changed the bypass setting and rebooted.
-
I also just tried with Squid's ACL's to see if I could block networks 10.0.17.0/24 and 10.0.47.0/24 but it is still resolving in the web browser.
