Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest Network Firewall Rules

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AstraeaA
      Astraea
      last edited by

      I have pfSense (in a VM) installed and I have set up my LAN interface to have an IP address of 17.2.39.1. I also have a VLAN setup which uses 20 for the tag and is called GUESTWIFI in pfSense. I have a Unifi AP and Controller on the network. The AP has an address of 17.2.39.12. The GUESTWIFI has an IP of 17.2.37.1 and both the LAN and GUESTWIFI have DHCP servers configured. I am able to access the internet and local resources either by IP or hostname on either network.

      Now I want to limit the GUESTWIFI or in other words, VLAN20 to only be allowed to access the internet and specified local resources that will be accessed via a hostname such as media.domain.local. that hostname is set in pfSense as a DNS override and points to a reverse proxy server I have set up at 17.2.39.112 as this allows me to use SSL certificates from LetsEcrypt and also hide port number as my media server does not use port 80 or 443.

      I have set up a rule to block access to the LAN net but have not been able to allow access to the specific resources that I want to.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Rule order is important. Please post a screencap of your firewall rules for GUESTWIFI. Also list what resources you can't access from where.

        1 Reply Last reply Reply Quote 0
        • AstraeaA
          Astraea
          last edited by

          Screenshot from 2019-08-20 17-53-55.png

          I did some configuring and I was able to block all local resources then I went and added a rule to allow a NAS storage box which is working but when I add the top rule which aliases a hostname it allows more than just that hostname to be accessed. I assume this is because I am using a reverse proxy.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            Do the hostname(s) in the alias resolve to private IP space or your WAN address (or VIPs)?

            Also, why are you using public IP space for your LANs? 17.0.0.0/8 is owned by Apple, I believe.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              You are passing and blocking TCP only.

              Screen Shot 2016-06-18 at 9.34.20 PM.png

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 1
              • AstraeaA
                Astraea
                last edited by Astraea

                They resolve to a private IP. which is an Nginx server setup as a reverse proxy, which then accesses the server the service is running on. For example, the media server runs on 17.2.39.186 and uses port 8096. The reverse proxy is at 17.2.39.112 and redirects to the media server. This allows me to use SSL on all internal sites and also hide port numbers for a cleaner look.

                Derelict - Ill change to any protocol vs just TCP

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Now your actual problem is that you say you can access more than just that hostname. If you can get to the proxy then what happens after that is the proxy's concern. pfSense just relays the packets between the networks. Can you give an example of what you mean and what happens?

                  1 Reply Last reply Reply Quote 0
                  • AstraeaA
                    Astraea
                    last edited by Astraea

                    So, for instance, I want to allow my roommate to watch videos from the media server but they should not have access to my mail server which is at mail.local.domain.

                    I am not sure if setting up a Split DNS is the key and have 2 separate reverse proxies setup is the answer or how I would go about limiting access to other hostnames that are reverse proxied.

                    when I added the rule to allow media.local.domain it allowed that through but also mail.local.domain which both runs to the same reverse proxy

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      I guess you have to have some way via proxy config to limit his access to destinations based on the clients IP address. pfSense has no knowledge of domains and URLs, just IP addresses and packets.

                      1 Reply Last reply Reply Quote 1
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        You will need to do that in access lists on the proxies.

                        pfSense can filter on IP addresses, not host names in an HTTP session.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • AstraeaA
                          Astraea
                          last edited by

                          Thanks, Derelict I will look into how those are configured later this week.

                          1 Reply Last reply Reply Quote 0
                          • AstraeaA
                            Astraea
                            last edited by

                            I had a chance to test out access lists in Nginx and it worked perfectly, I added a deny line to the configuration for that particular domain/subdomain and it was blocked for the specified network. The next question I have though it the best way to set up the firewall rule in pfSense

                            I created a rule to allow access to the NAS system I have that is located at 17.2.39.32 and that works but when I add a rule that uses an alias it only allows access when a subdomain is used that goes to that proxy server such as movies.local.domain. when I just use domain.local or the IP address (17.2.39.112) of the reverse proxy it still gets blocked by pfSense. Should I just make a subdomain of guestnetwork.local.domain and have it goto the reverse proxy that just redirects to the main site for that proxy so that I can get control access from within Nginx?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.