Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to allow opt only to wan

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 6 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vidarne77
      last edited by

      Pfsense 2.4.4
      modem bridged to pfsense
      wan ip= public ip
      opt2 interface 192.168.2.1
      Lan 192.168.1.1

      to get opt2 to only be able to go to internet can a rule be sett like this

      Interface opt2
      protocol source port destination port gatway
      ipv4 opt2 * "wan net" * *

      or do all internet traffic go to throu the interfaces ip/gatway and that be in this case opt2 192.168.2.1?

      whats the best way to allow an interface only accsess to internet and not to any other interfaces

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        No, that won't work.

        You need to use ipv4 opt2 * * "! LAN Net" * *
        ! = Invert match
        You want to allow it to go anywhere EXCEPT LAN Net.

        โ€“A.

        1 Reply Last reply Reply Quote 0
        • V
          vidarne77
          last edited by vidarne77

          Thanks

          so if i put in an alias all the interfaces i dont want it to goto and then use invert match that to will work to?

          awebsterA 1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster @vidarne77
            last edited by

            @vidarne77 You could do that, I've found what works best for me is to create an alias for all RFC 1918 addresses (non-routables) and use that as a DENY rule early on in the ruleset on the OPT interfaces. Assuming it is placed correctly, you never need to revisit that rule.
            This prevents any clients on any OPT interfaces from talking to anything "inside" the network.
            You can add any allow rules before that if you need to allow specific things like getting to a print server on the LAN subnet.

            โ€“A.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by KOM

              It is easier to read and understand if you use block/reject rules instead of inverted allow rules.

              Allow This Firewall ICMP echo request
              Allow This Firewall tcp/udp/53 (DNS)
              Block This Firewall
              Block LAN net
              Allow * * * * *

              https://doc.pfsense.org/index.php/Firewall_Rule_Basics

              https://docs.netgate.com/pfsense/en/latest/firewall/restrict-access-to-management-interface.html

              awebsterA 1 Reply Last reply Reply Quote 1
              • awebsterA
                awebster @KOM
                last edited by

                @KOM I found that using an alias to block all RFC 1918 addresses is simpler than a bunch of block rules particularly if you plan on having many OPT interfaces (VLANs), but you said it much better!

                Allow This Firewall ICMP echo request
                Allow This Firewall tcp/53 (DNS)
                Block RFC1918
                Allow * * * * *

                โ€“A.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  That works, too. I was just noting that inverted rules should be avoided unless you have a weird edge case.

                  1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator
                    last edited by

                    @awebster said in How to allow opt only to wan:

                    Allow This Firewall tcp/53 (DNS)

                    TCP & UDP please :) Also let's go for udp/123 for using NTP to define a small, nice and simple set of basic infrastructure services ;)

                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      While ! rules can work, you need to make sure you have no vips that could cause issues with them. And yes as KOM stated already is prob better to use an explicit deny, it is much easier to read. And less likely to be a problem.

                      Here is a example set of rules that you could use on such an isolated vlan. It allows for min services, ping, dns and ntp while blocking all other access. The this firewall built in alias prevents it from access say even the pfsense wan IP directly (which would normally not be rfc1918 space) Uses reject vs block, to tell any local devices - hey that not going to work faster then waiting for them to just time out and keep sending retrans.

                      rules.png

                      The rfc alias contains all the rfc1918 networks (10/8,172.16/12,192.168/16) this way if you bring up other networks in the future it will not be able to get to them either.

                      You might also want to log your rejects, so that you can see if something is attempting such access.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      V 1 Reply Last reply Reply Quote 1
                      • JeGrJ
                        JeGr LAYER 8 Moderator
                        last edited by

                        Aah someone besides me that also uses "reject" on the inside rather than just "block"ing it away ๐Ÿ˜‰
                        Have to remember the "This Firewall" reject though, I tend to forget these (and expose the firewall's WAN IP if not a private one that way). Thanks for the reminder :)

                        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Yeah reject is better on the local side, never something you would put on your public facing interfaces ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • V
                            vidarne77 @johnpoz
                            last edited by vidarne77

                            @johnpoz said in How to allow opt only to wan:

                            While ! rules can work, you need to make sure you have no vips that could cause issues with them. And yes as KOM stated already is prob better to use an explicit deny, it is much easier to read. And less likely to be a problem.

                            Here is a example set of rules that you could use on such an isolated vlan. It allows for min services, ping, dns and ntp while blocking all other access. The this firewall built in alias prevents it from access say even the pfsense wan IP directly (which would normally not be rfc1918 space) Uses reject vs block, to tell any local devices - hey that not going to work faster then waiting for them to just time out and keep sending retrans.

                            rules.png

                            The rfc alias contains all the rfc1918 networks (10/8,172.16/12,192.168/16) this way if you bring up other networks in the future it will not be able to get to them either.

                            You might also want to log your rejects, so that you can see if something is attempting such access.

                            This was a nice way to do it thanks for the help, but a question are the 2 block/reject rules needed ?
                            Or will it only be needed the rfc-1918 block/reject rule as all the ips so is under that alias will be under the rfc-1918 address pool
                            From what i did read i belive "this firewall" is all the ips to all the interfaces on the firewall , so is most likely something like 192.168.1.1, 192.168.2.1, 10.0.0.1 and that will be blocked by the rfc alias or????

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              Normally firewall has a WAN ip that is public.. So if you do not use the built in firewall rule, or put in a wan address block.. Your block rfc1918 would not trigger..

                              So as always when wondering what you rules are going to do, walk down from top to bottom with your traffic and see what rule triggers or not.. If it gets to the end with no rules that allow or block triggering - then it would be blocked by the default deny that is not shown..

                              So lets say I took out that reject to firewall, and lets assume my firewall wan IP was 1.2.3.4, so now lets say someone want to hit the gui on my wan IP..

                              1. not triggered - its icmp and my dest is tcp 80 trying to hit gui
                              2. nope not dns
                              3. nope not ntp
                              4. not there
                              5. Nope dest is not rfc1918
                              6. yes my sorce is test net, and any is my dest port, and any is my dest IP.. Yup allowed, so now devices on this network could access pfsense webgui without that reject "this firewall rule"

                              If you wan IP is rfc1918, ie its behind a nat - then yeah you wouldn't need that rule. But you could use it as a safety net, on the chance you change your network and pfsense now has a public IP.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • J
                                jhonpacker Banned
                                last edited by

                                This post is deleted!
                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.