Trouble with firewall rules for IOT network

danb35

I'm wanting to set up a separate network for my IoT devices, since security with those is pretty much a dumpster fire and there isn't much I can do about that. I'm trying to follow the general process described in this video, but since he's using an EdgeRouter and I'm (of course) using pfSense, the firewall rules don't translate exactly. However, the configuration described here in the pfSense docs seems to accomplish the same thing. For now, I want devices on this network to have full access to the Internet, but only very limited access to my other LAN resources (and I haven't even gotten to adding those rules yet).

I've set up the separate IoT VLAN in pfSense, in my Dell managed switches, and in my Unifi network. I can connect wireless clients to that VLAN and they're issued IPs in the appropriate range from the pfSense server; I can plug wired devices into a dedicated port on the switch and they're assigned the same. Devices on that network can ping the gateway, they can resolve hostnames, but they can't reach the outside network--pings time out, as does attempted browsing. Here are the rules I'm using:

Curiously, I can see a few states on the last rule, which would suggest to me that some traffic is getting through--but as far as I can tell, it isn't. What am I missing, or where else should I be looking?

johnpoz

you sure and the hell do not need that 67 dhcp rule.. When you enable dhcpd on an interface pfsense will auto add the rules needed for dhcpd to run.. They will not be listed in the gui, but they are there.. you can view them with viewing all rules

https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

Did you mess with the default outbound nat rules which should be automatic.. If you changed that your going to have issues unless you create the correct outbound rules. Also are you running any sort of vpn client that pulls routes?

danb35

@johnpoz said in Trouble with firewall rules for IOT network:

you sure and the hell do not need that 67 dhcp rule.

OK, easy enough to delete that.

Did you mess with the default outbound nat rules which should be automatic.

I hadn't thought so, but this suggests otherwise:

I am running an IP PBX behind the firewall, which is what the first mapping is for. I couldn't say about the others. The 1.0 network is my primary LAN, while 3.0 is the OpenVPN network. The IoT network is 107.0, and isn't listed there--I'm guessing that's the source of my problem.

Which would be better: to add a set of rules matching the ones already there for 1.0, or to set the mode to "hybrid" (which I'd guess would generate those rules automatically)?

Also are you running any sort of vpn client that pulls routes?

No VPN client on the pfSense box. I run an OpenVPN server for remote access to my network.

johnpoz

@danb35 said in Trouble with firewall rules for IOT network:

The IoT network is 107.0, and isn't listed there--I'm guessing that's the source of my problem.

Yup there is almost never a reason to change from auto to manual.. Hybrid sometimes makes sense.. Switch it to auto and you should be fine.

If you need to do something with your pbx, then just use hybrid and add that rule.

danb35

Switch it to auto and you should be fine.

That's got the IoT network working, thanks--it'll take a little checking to make sure that trunk still works for the PBX, but if not I'll set it to Hybrid and add that rule. Thanks!