• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Inter-Network Blocking Question

Scheduled Pinned Locked Moved General pfSense Questions
19 Posts 5 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    Pete-Man
    last edited by Dec 13, 2018, 1:00 AM

    Hey everyone I am somewhat new to pfSense and have been tasked to setup about 20 dedicated networks for conference rooms in an office. Setting up the Interfaces / DHCP / VLANs isn't an issue what I am trying to figure out is the best way to block each of the networks from seeing each other and of course accessing the GUI.

    I know that I can do this with individual rules for each Network but was trying to figure out something a little easier like an alias or maybe even a floating rule?

    With this in mind someone suggested that I created an alias with all of the networks listed in it. From there go to each of the networks firewall rules and set up the following two rules (using LAN100 as an example).

    Rule 1)
    Action - Pass
    Interface - LAN100
    Protocol Any
    Source - LAN100 Net
    Destination - LAN 100 Net
    All other entries are the default

    Rule 2)
    Actio - Pass
    Interface - LAN100
    Protocol - Any
    Source - LAN100 Net
    Destination (Invert Match) Single Host or Alias - (Network Alias with all VLAN Networks Listed)
    ** All other entries are default**

    This does work in blocking access to each of the other networks as well as allow the network to access the Internet. I do however have some strange behavior where it seems like I can sometimes access the Web Interface of the pfSense box and sometimes I can not.

    Am I going in the right direction with this? I am trying to avoid making an Alias for each of the VLANs with itself not listed but that obviously is an option.

    Any help / suggestions would be greatly appreciated.

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by Dec 13, 2018, 3:58 PM

      I also use the invert match rule @Derelict isn't too keen.

      Ideally the rules should look something like this:-

      0_1544716136578_Screenshot 2018-12-13 at 15.47.23.png

      You can ignore the pfB_PRI1_v4 rule that's pfBlockerNG and the SYSLOG rule

      You could use a floating rules and just not apply it to one of the interfaces that you use for switch and router management :-

      0_1544716664785_Screenshot 2018-12-13 at 15.57.08.png

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 1
      • D
        Derelict LAYER 8 Netgate
        last edited by Derelict Dec 13, 2018, 6:21 PM Dec 13, 2018, 6:20 PM

        Instead of trying to block every network I would consider something like:

        1. Pass the local assets they need access to (DNS Server(s)s, NTP, etc)
        2. Pass ICMP to the interface address and DNS server(s) etc so they can ping those.
        3. Reject everything to RFC1918/All Unroutable networks
        4. Reject everything to This Firewall (self)
        5. Pass everything (The internet).

        Is IPv6 a factor?

        I would also seriously consider just using layer 2 port isolation if the only goal is to block them from each other. Then you could maintain one network instead of 20. It might be nice to have them all completely separate though, for accounting/troubleshooting purposes.

        And, no, I don't like blocking traffic with pass ❗ rules. Traffic should be blocked with block/reject rules.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • P
          Pete-Man
          last edited by Dec 14, 2018, 2:32 AM

          Thanks for the replied guys - These networks are are going to be wide open to the Internet which is why they want these to be on their on dedicated VLANs and not to be able to access each other or the firewall itself.

          These are just "Guest" Networks and will never access any internal assets. This is the way they want it and I felt that VLANs and blocking would be the best way to go about it.

          I am not really sure about the inverted pass rule... I tried this on 3 different devices and one two of them it seems to work perfectly and the 3rd for some reason I was still able to access the firewall itself from inside one of the VLANs. One thing worth mentioning I did reboot the other devices but didn't reboot the one that can still access but did reset the states on it.

          Currently IPv6 is not a factor but never say never. =)

          N 1 Reply Last reply Dec 14, 2018, 8:50 AM Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Dec 14, 2018, 8:07 AM

            If IPv6 is not a factor now then you deal with that when it is.

            So you're not providing local DNS or anything?

            Then eliminate point 1. above.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 1
            • N
              NogBadTheBad @Pete-Man
              last edited by Dec 14, 2018, 8:50 AM

              @pete-man

              Re accessing the firewall when you thought you’d blocked it.

              Did you kill the firewall states after creating the block rule?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 1
              • C
                chriva
                last edited by Dec 14, 2018, 10:06 AM

                Create a interface group containing all of the networks for conference rooms.
                On the interface group
                Permit all traffic to public networks
                Permit access to the GUI (PFSense web interface? in this case is better to allow access only from a few non dhcp addresses OR create and extra VLAN dedicatet to management only.)
                Block all traffic to private networks

                This should be fine.

                1 Reply Last reply Reply Quote 1
                • P
                  Pete-Man
                  last edited by Dec 17, 2018, 12:28 PM

                  Thanks for the suggestions guys - I tried the various things suggested but couldn't get it to work. Just to get it up and running I ended up doing what I didn't want to do which is create an alias for each of the Networks with all of the other networks in it but itself then added that in to each Interface Firewall Rule to block the Alias for that Network.

                  There has to be an easy way to do what I wanted to do originally without using the Inverted rule. Having a single Alias with all of the Networks that I want to prevent from seeing each other would make life a whole lot easier vs going in to each alias and adding any new network.

                  I tried the Interface Group but correct me if I am wrong when you go to add firewall rules to it you seem to be a little more limited then regular interfaces?

                  I thought that some kind of floating rule would / should also work but again it seemed like I would somehow end up blocking all traffic as in not being able to get out at all or still being able to access the other networks.

                  I have this setup running on a few test machines now and want to keep playing with it for sure.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by Dec 17, 2018, 12:44 PM

                    If you dont what your other networks to talk to each other..

                    Then just create a alias for say all rfc1918 networks

                    Create rule(s) that allow access to what you want to allow on other networks, local access for say dns, ping to pfsense IP address in that network.

                    Then block/reject access to alias rf1918

                    Then allow any any (which will allow internet)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    P 1 Reply Last reply Dec 18, 2018, 1:00 AM Reply Quote 1
                    • P
                      Pete-Man @johnpoz
                      last edited by Dec 18, 2018, 1:00 AM

                      @johnpoz said in Inter-Network Blocking Question:

                      If you dont what your other networks to talk to each other..

                      Then just create a alias for say all rfc1918 networks

                      Create rule(s) that allow access to what you want to allow on other networks, local access for say dns, ping to pfsense IP address in that network.

                      Then block/reject access to alias rf1918

                      Then allow any any (which will allow internet)

                      Hi - Thanks for the information, in this instance I would have to an alias for each of the networks correct? If I list "All" of the private networks it would end up blocking itself before it hits the any rule.

                      This is what I am trying to avoid, I would like to have a way to have a single alias with ALL of the Networks that I don't want the others to be able to access. In this case this will be a series of Interfaces going to conference rooms 20 of them at this point.

                      I know I can create an Alias for each of the Networks / VLANs with all of the other networks listed except for itself but again I am trying to avoid that if possible.

                      Am I missing something?

                      D 1 Reply Last reply Dec 18, 2018, 1:03 AM Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate @Pete-Man
                        last edited by Dec 18, 2018, 1:03 AM

                        @pete-man said in Inter-Network Blocking Question:

                        If I list "All" of the private networks it would end up blocking itself before it hits the any rule.

                        What, exactly, do you mean by this. Please be specific.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        P 1 Reply Last reply Dec 18, 2018, 1:20 AM Reply Quote 0
                        • P
                          Pete-Man @Derelict
                          last edited by Dec 18, 2018, 1:20 AM

                          @derelict said in Inter-Network Blocking Question:

                          @pete-man said in Inter-Network Blocking Question:

                          If I list "All" of the private networks it would end up blocking itself before it hits the any rule.

                          What, exactly, do you mean by this. Please be specific.

                          Lets take a step back what I am trying to do it the following, as I mentioned I am trying to setup a number of Interfaces / Networks / VLANs that will be used for public access in various conference rooms. For ease of use I have set the networks up like this.
                          VLAN 20 - 192.168.20.0 / 24
                          VLAN 30 - 192.168.30.0 / 24
                          This continues on with VLAN 40 through 70 for now.

                          There are a few more Networks / Interfaces including including the Local Private LAN, WAN and management Network.

                          The goal is to provide each of the about Networks / VLANs 20 through 70 Internet Access but block them from accessing any of the other VLANs as well as the Firewall itself (GUI).

                          To be clear I have no issues setting up the VLANs / IPs / Interfaces on within pfsense, the question is setting up the rules as follows.

                          How can I simplify blocking each of the Networks / VLANs 20 through 70. I was looking to make an Alias that included ALL of the Networks that I want to prevent the others from accessing including the Managements and Private Networks and putting in a few rules in each interface (or maybe even some kind of floating rule) to accomplish this vs created an Alias for Each of the Networks / VLANs which has all of the Networks listed except for itself and apply it to each interface as a blocking rule using the Alias and a Pass rule for everything else. I know this will work but can lead to some mistakes if say an additional Network is added.

                          Hope this makes sense.

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Dec 18, 2018, 1:27 AM

                            No. What did you mean by that statement?

                            If you want to block a VLAN from accessing any other private resource, then block it to a destination alias containing:

                            10.0.0.0/8
                            172.16.0.0/12
                            192.168.0.0/16

                            What are your concerns with doing that?

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            P 1 Reply Last reply Dec 18, 2018, 1:55 AM Reply Quote 0
                            • P
                              Pete-Man @Derelict
                              last edited by Dec 18, 2018, 1:55 AM

                              @derelict said in Inter-Network Blocking Question:

                              No. What did you mean by that statement?

                              If you want to block a VLAN from accessing any other private resource, then block it to a destination alias containing:

                              10.0.0.0/8
                              172.16.0.0/12
                              192.168.0.0/16

                              What are your concerns with doing that?

                              If I put a blocking rule in place that contains those networks isn't that going to end up blocking itself? How do I prevent it from blocking itself in that rule? I put a rule like that in place and of course it is the first rule it hits so it blocks itself, I can not access the internet and of course any other network.

                              If I put a pass any / any rule in first it will never hit the blocking rule.

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Dec 18, 2018, 1:56 AM

                                Because it blocks traffic to those destinations, not sources. Traffic destined to the same subnet never gets sent to the firewall.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                P 1 Reply Last reply Dec 18, 2018, 2:19 PM Reply Quote 1
                                • P
                                  Pete-Man @Derelict
                                  last edited by Pete-Man Dec 18, 2018, 2:20 PM Dec 18, 2018, 2:19 PM

                                  @derelict said in Inter-Network Blocking Question:

                                  Because it blocks traffic to those destinations, not sources. Traffic destined to the same subnet never gets sent to the firewall.

                                  Ok since I am somewhat new to pfSense I assume I am missing something here.

                                  I just setup the following test install of pfSense
                                  em0 - Wan - DHCP - Has Internet access
                                  em1 - LAN - Default 119.168.1.1

                                  em2 - Set up with the following VLANs through a Trunk Port
                                  VLAN 50 - 192.168.50.1 / Set up as DHCP Server
                                  VLAN 60 - 192.168.60.1 / Set up as DHCP Server
                                  VLAN 70 - 192.168.70.1 / Set up as DHCP Server

                                  Setup an Alias with ALL of the Above VLAN Networks Listed in it including the LAN Network.

                                  Currently all of the Interfaces so up / work and I get IPs from their proper Networks. Of course I can not access anything I haven't set up any rules as of yet.

                                  Here is where I am wondering what the best practices are. What rules would you suggest I put in each interface so that I can do the following (I only need one example / Not all):

                                  Allow access to the Internet
                                  Prevent Access to All other VLANs mentioned in the Alias
                                  Prevent Access to the firewall itself (GUI / Command line)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz Dec 18, 2018, 2:38 PM Dec 18, 2018, 2:36 PM

                                    So where were your clients get dns? Pfsense or external (internet)

                                    As traffic enters and interface from the network its attached to rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                                    Here just gave an example in this thread
                                    https://forum.netgate.com/topic/138813/isolating-vlans-from-each-other-and-management-interface/2

                                    Vs sending it out the vpn connection, don't set gateway on last rule. Use your alias vs rfc1918 alias. But to be honest just create alias that contains all rfc1918.. That way when you add vlan 80 for example you don't have to worry about editing your alias ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    P 1 Reply Last reply Dec 18, 2018, 5:04 PM Reply Quote 1
                                    • P
                                      Pete-Man @johnpoz
                                      last edited by Dec 18, 2018, 5:04 PM

                                      @johnpoz

                                      @johnpoz said in Inter-Network Blocking Question:

                                      So where were your clients get dns? Pfsense or external (internet)

                                      As traffic enters and interface from the network its attached to rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                                      Here just gave an example in this thread
                                      https://forum.netgate.com/topic/138813/isolating-vlans-from-each-other-and-management-interface/2

                                      Vs sending it out the vpn connection, don't set gateway on last rule. Use your alias vs rfc1918 alias. But to be honest just create alias that contains all rfc1918.. That way when you add vlan 80 for example you don't have to worry about editing your alias ;)

                                      Hi and Thank you... This is exactly what I was looking for. I am not 100% sure but I think my issue was having my rules setup like you had listed in the example you linked to but I had all of my Rules sources set properly to the VLAN Net but I also had my my destination set as LAN vs and not addresses. This makes sense now and it seems to be working as I would like it to. Since all of my Networks are in the Private space and listed in my Alias do I need the implicit Block rules for access to this Firewall? I can't seem to access it from any of the VLANs I am testing from. I know it certainly will not hurt I was just wondering.

                                      Thank you again

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by Dec 18, 2018, 5:11 PM

                                        The "this firewall" includes ALL ips on the firewall.. For example your WAN IP that is normally not a rfc1918 address. So this rule makes sure that NO IP on the firewall can be accessed.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 1
                                        1 out of 19
                                        • First post
                                          1/19
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                          This community forum collects and processes your personal information.
                                          consent.not_received