I need help with the firewall and rules with multiple LAN's



  • I have the following setup

    –---------------(LAN1)
                                      |
    -----Modem---------pfsense------------- (LAN)
                                      |
                                       -----------------(LAN2)

    All LANs a re on different subnets.
    pfsense box has four NIC's

    I want to do the following
    file share between LAN and LAN1, LAN and LAN2
    block file sharing between LAN1 & LAN2

    Block all internet traffic from LAN1 & LAN2
    Allow internet traffic from LAN

    Allow MS RDP from LAN to LAN1

    I have automatic NAT enabled

    How do I set up the rules.

    I have a rule in for LAN2
    TCP  LAN net  *  LAN2 net  3389 (MS RDP)  * 
    And it does not work

    I have tried a similar rule in LAN
    TCP  *  *  LAN2 net  3389 (MS RDP)  *
    and it does not work.

    I have had lots of fun trying to block and allow many protocols (80, 21, 8080) and nothing ever seems to match up.  WHen I think I have blocked port 80, LAN2 still gets to the internet (via WAN).  WHen I allow 8080 from LAN2 to LAN I get nothing, yet other times (like last night) it was working.  Its driving me nuts

    What is the purpose of putting a rule under a interface if you then specify the source, isnt that doubling up.  WOuldn;t the firewall be better as one big list where you then specify the source and destinations.

    I just dont get it - and yes I am a noob

    Is there a pfsense firewall for dummies somewhere that explains the basics

    Thanks

    Mick



  • No, the firewall doesn't work at all. Everyone else wasn't smart enough to notice. Good job.
    Seriously, some basic knowledge about how firewalls work and reading the faqs/stickies will help out.
    Why not start here? http://forum.pfsense.org/index.php/topic,7001.0.html
    People might be more inclined to help if the post topic is something more descriptive.



  • Thanks

    I thought the last part would be enough to indicate that I was having trouble with rules and getting the firewall to work, but anyway it appears not.

    Some basic knowledge is what I am after and yes I have been reading a lot, but just not the right things.

    But reading that page does not tell me anything I dont know (or think I dont know) already

    Help me out here and give me an example of a rule that will allow rdp traffic from the LAN to LAN2 because I have set up rules that I believe should work and they dont.

    Mick



  • The default configuration for the LAN is to allow anything out. I'd start your second LAN with a similar rule and lock down from there. Remember rules apply when traffic enters the interface and rules are processed top down. So, let's say I want to allow only RDP from LAN to LAN2 and block LAN2 from getting to LAN:
    (Allowing both to get to the Internet)
    Firewall, Rules, LAN
    Allow TCP LAN net * LAN2 net 3389 *
    Deny  *    LAN net * LAN2 net *    *
    Allow  *    LAN net *    *      *    *

    Firewall, Rules, LAN2
    Deny  *    LAN2 net * LAN net *    *
    Allow  *    LAN2 net *    *      *    *

    Once you get the hang of it, you should be able to extrapolate into more complex rules.



  • Thank so much - I will give this a go tonight.

    I do understand the top down concept and was aware of that with my rules (not experienced though)

    If we take a step back

    Allow rdp from LAN to LAN2 with the understanding that all is blocked by default (according to what I have read) I had under LAN rules

    Allow TCP LAN net * LAN2 net 3389 *

    with no rules under LAN2

    and nothing would work.

    If so then could I have a problem somewhere else (NAT?)

    This is what is swimming around my head at the moment

    This goes in the LAN rules because that is the subnet that the connection is being established and a similar rule is not required under the LAN2 rules.

    but, you say that when traffic enters an interface the rules are tested, so if I try to establish a connection from my PC on LAN the LAN rules are evaluated and then the data is passed to the LAN2 rules before passing into the LAN2 subnet.  Does that mean that there should be a similar rule under LAN2 (this means doubling of all rules which sounds counter productive and over complicated)
    Allow TCP LAN net * LAN2 net 3389 *

    Don't get me wrong I am not trying to argue, just posing scenario's to try and learn and I appreciate the replies.

    Thanks again

    Mick



  • @znelbok:

    This goes in the LAN rules because that is the subnet that the connection is being established and a similar rule is not required under the LAN2 rules.

    correct.

    @znelbok:

    but, you say that when traffic enters an interface the rules are tested, so if I try to establish a connection from my PC on LAN the LAN rules are evaluated and then the data is passed to the LAN2 rules before passing into the LAN2 subnet.

    incorrect.
    Whatever gets 'inside' of pfSense (accordingn to rules) may exit anywhere it is routed to (no rules apply).
    That is why pfSense itself (inside) can communicate with all attached subnets or the update server on the internet without rules.
    Got the picture?

    What Dotdash showed is absolutely correct.
    Just get familiar with the rule's order which is important in the example. Maybe read them out loud: "First, allow everything from LAN to …"  [no pun intended, btw]



  • I put these rules in and it did not work  >:( (and yes I hit apply after making the changes)

    Just to make sure here are the screen shots

    One thing I did appear to have wrong was how the rules were processed.  I did understand the top down concept, but I though that a lower rule would over-ride a previous rule

    so in the rules given earlier, where an allow was given for port 3389 and then a subsequent rule blocked all ports, I assumed that the latter rule had precedence, and in fact it is the other way around, preceding rules have precedence.

    Since this does not appear to be working for me, is there by any chance something else wrong elsewhere in the system?

    The box (pfsense) can ping the PC on LAN2

    Thanks and the help is appreciated

    Mick

    EDIT - I realised on the way to work this morning that the PC on the LAN was not using the pfsense box as the gateway, but rather the router as a gateway.  The router has a static route to the pfsense box, so in theory it should work, but I will point the PC to the pfsense box and try again.






  • So it turns out is was the gateway but…

    I removed the rule for port 3389 and now have two rules under LAN
    Deny *  LAN net  *  LAN2 net  *  *   
    Allow * LAN net * * * *

    and I can still get a RDP connection - why?  All protocols and ports are blocked to LAN2

    I can also do file sharing!!!

    Why when the deny rule is first



  • Did you clear the states after deleting the allow rule?

    You dont happen to have Advanced outbound NAT enabled, do you?



  • I assume by clearing the states you mean resetting states - no I did not know about that

    Yes, Automatic (not Advanced) outbound NAT is enabled.

    Should manual outbound NAT be enabled?  What about the rules for NAT, where can I find more on that



  • If you are on automatic everything should be ok.
    Some people have problems when they enable manual NAT and forget about it.

    If you're testing if a firewall rule is effective, you should always clear the state table first.
    Otherwise it might well be that there is still an entry in the table and you use this entry which was created before the rule was in place.



  • Excellent, I am starting to get somewhere now thanks to the good people here

    Another questions on a rule

    I have got the ports open to LAN2 that I want and it is working fine but I am trying to lock down the connection to the internet

    My first attempt was this
    Allow TCP  LAN net  *  WAN address  80 (HTTP)  *

    and it did not work.

    Changed it to
    Allow TCP  LAN net  *  *  80 (HTTP)  *

    and it worked.

    Why would specifying the WAN port fail, yet work for any destination?



  • If you specify "WAN address" you allow only connections to the address of the WAN.
    WAN address means exactly that.
    It doesnt mean: "traffic going out the WAN".



  • Thanks - I will think about this overnight

    "If you specify "WAN address" you allow only connections to the address of the WAN."

    I understand this statement, and I think then it should have worked.  I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.

    or

    does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0

    I think it may be the latter



  • @znelbok:

    Thanks - I will think about this overnight

    "If you specify "WAN address" you allow only connections  to the address of the WAN."

    I understand this statement, and I think then it should have worked.  I put in a URL in the web browser and it should have only allowed a connection through the WAN, yet it did not connect and download the web page.

    or

    does this mean that if the WAN address is say 10.0.0.0 (from WAN NIC to modem), then it only allows access to 10.0.0.0

    I think it may be the latter

    NOT through.
    TO

    So yes it means the latter.



  • Dang - I thought I had the hang of this

    I have two rules only in both LAN1 and LAN2

    LAN2 Rules
    Allow TCP  LAN2 net  *  LAN net  8080  *
    Deny *  LAN2 net  *  LAN net  *  *

    First to allow LAN2 to a web server on LAN on port 8080, the second to block all the rest and this works fine

    LAN1 Rules
    Allow TCP  LAN1 net  *  LAN net  8080  *
    Deny *  LAN1 net  *  LAN net  *  *

    Same rules as LAN2, but for LAN1 and this does not work.  LAN2 can see the web server on port 8080, LAN1 can not.

    Whay is it so?


Log in to reply