DROP most LAN to LAN



  • I don't want my LAN machines open to each other, with a couple of obvious and one custom exception.

    pfSense is a proxmox guest, and sits in front of proxmox (proxmox only has a LAN IP). I have openvpn setup for proxmox/pfsense access (SSH and GUI) and a single IP firewall exception for accessing both outside of openvpn.

    DNS and SMTP services are provided by the proxmox host.

    I am thinking of:

    ALLOW from LAN host to LAN any 
    ALLOW from LAN pfsense to LAN any 
    ALLOW from LAN any to host ports 25, 53
    ALLOW from LAN host X to LAN host Y
    DROP from LAN any to LAN any
    

    All LAN to WAN remains default. So my questions are:

    a) Do I have this (excuse the sloppy language above) in the right direction?

    b) Should I put the rules above or below these?
    f497c02f-d0dc-4a86-b867-534895f7e1e6-image.png

    c) Do I also need to modify these above since they are from LAN to any?

    d) Do the openvpn rules need modification? I only access the host and pfsense via openvpn.

    Thanks



  • Devices on your LAN pass traffic through the switch and the switch sends that traffic direct to the other LAN device. This traffic never touches the router. Why would it?

    Only traffic sent "out of net" or to a different subnet is sent to and through the router.

    Utilize your client firewalls to do what you want. Make your Windows firewalls "public".



  • gotcha.

    not that it makes a diff, but all guests are ubuntu (with the debian host).

    i could use ufw on the guests, but I really didn't wanna mess with any guest firewalling rules... iptables ALLOWs everything and UFW is not even installed.



  • You could always do this with vlans but then you need a layer 3 switch.. Create a "LAN" for each machine. Then you could do all kinds of subnet magic..



  • @chpalmer Don't think a layer 3 switch is possible with a single physical machine and two NICs, but only one uplink (the other is disconnected)

    proxmox does have VLANs though, but I think it would complicate things if the VLANs are not setup in pfsense... might have to go the client firewall way


  • LAYER 8 Global Moderator

    You don't need a L3 switch to do vlans... All you need is L2 smart switch..

    But if you don't want clients talking to each other - then you could do something with private vlans.. This would be done on your switch.. Not pfsense.

    How many clients do you have?



  • @johnpoz said in DROP most LAN to LAN:

    You don't need a L3 switch to do vlans... All you need is L2 smart switch..

    But if you don't want clients talking to each other - then you could do something with private vlans.. This would be done on your switch.. Not pfsense.

    Thanks! That is good to know. I don't do VLANs at all so Im not real up to standard there. But he did mention that there were a few exceptions with machines communicating with each other..

    with a couple of obvious and one custom exception.

    Im thinking a firewall rule or two for these.


  • LAYER 8 Global Moderator

    Well if he wants some exceptions then sure vlans would be the way to do it sure.



  • @johnpoz

    there are less than 15 LAN clients, between containers and VMs...


  • LAYER 8 Global Moderator

    Still if what your wanting to do is segment your different clients so client X and Y can not talk to A and B, then yeah you put x and y in vlan 10, and a and b in in vlan 20, and then firewall between them with pfsense.

    I sure and the F not create 15 different vlans ;)



  • @pitchfork said in DROP most LAN to LAN:

    don't want my LAN machines open to each other, with a couple of obvious and one custom exception.

    There are some switches that can isolate ports so they can only talk to an uplink port. My TP-Link TL-SG105E (Johnpoz's favourite) will do that. TP-Link calls it a Multi-Tenant Unit VLAN.


  • LAYER 8 Netgate

    These are VMs/Containers. Any isolation would have to be done in the vswitch. Or perhaps in the proxmox firewall.


Log in to reply