Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Print from OPT1 to LAN printer

    Installation and Upgrades
    3
    33
    56
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpoz
      johnpoz LAYER 8 Global Moderator last edited by

      Well out of the box lan would be able to access anything on opt network.. Since the default rules are any any on lan.

      For what your opt network can access - what rules did you create?

      Just create a rule that allows access to your printer IP, on whatever port your using for printing, 9100, 631, etc..

      Then below that block all access to your lan net. Then the any any rule to allow internet.

      1 Reply Last reply Reply Quote 0
      • 5
        5cub4f1y last edited by 5cub4f1y

        I may have messed up rules due to watching too many videos on this.... WAN, LAN,OPT1 are as follows: (ignore the VLANS, that is just for a future managed switch...possibly) The "Private_IPv4s" is just an alias for all private IP addresses (192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8) and the 10.10.10.4 is the IP address of the printer on LAN

        21b38ae8-af9e-4c12-bec7-2cc8f49f1d75-image.png

        f8fa3847-8239-4a57-8562-623431434420-image.png

        02a180e0-312a-4f15-8457-864f96cef178-image.png

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          Yeah those rules don't make a lot of sense.

          Rules are evaluated top down, as traffic enters an interface, first rule to match wins, no other rules evaluated.

          So on your opt, that first rule is pretty pointless to be honest, since you don't even talk to pfsense to talk to other devices on your opt network.. Your prob just seeing hits on that because opt1 address would be included in opt net

          The rule at the end makes no sense since your already allowing anything that is not lan net.. Which would include any that is ! private IPv4

          For lan, that 10.10.10.4 to opt, is that not your lan net? the 10.10.10? Then the rule above it already allows that.

          Same goes for the last rule, unless you have downstream router on this lan net that makes no sense since any traffic on lan would be in the lan net..

          1 Reply Last reply Reply Quote 0
          • 5
            5cub4f1y last edited by 5cub4f1y

            Ok, so if I'm understanding correctly, I have disabled the last 2 rules in LAN, and disabled the 1st rule in OPT1 (I will completely delete them once all this is figured out... I don't want to break the network right now as people are using it...and right now everyone has internet access for school work..that way if they loose access I can just enable everything again..)

            10.10.10.4 is the printer on the LAN network, yes.

            I guess what I am looking for, as I am still green on networking (studying for Network+ now)... is what rules SHOULD I apply? is there a good example of what rules should be there in this forum somewhere, or elsewhere on the internet? I am still unsure what exactly I need to allow, and where...and what should be blocked... so that the OPT1 network can't see the LAN, except for the printer, but LAN network can see things on the OPT1 network).

            Ideally, I would love to be able to set up all of the IoT devices (Roku, Smart TVs, Amazon Echo, Nest, Security system, etc..) on a different network so all of our laptops and personal devices are protected...but thats for another day...

            No downstream router. I have only pfSense handling routing, my other wireless routers are in access point mode only.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by johnpoz

              @5cub4f1y said in Print from OPT1 to LAN printer:

              is what rules SHOULD I apply?

              Well what do you want? That is a pretty open ended sort of question.. How would anyone know what you should do, its your network.

              What you should apply is the rules you want to setup the network how you want it, and to allow or block what you want to block..

              Its like asking me what what you want for dinner. I think you should have pizza, when your really in the mood for a burger ;) But I think you should have pizza for dinner!!!

              More than happy to help you setup "specific" something... But asking general terms what you should apply... Doesn't make a lot of sense.. Since I do not know the ins and outs of your network, nor do I know how tight or loose your tinfoil hat is, etc.

              Here is a "typical" locked down network

              locked-down.png

              Where this vlan is limited. Something like that would be a common sort of setup for a iot sort of vlan.. Or maybe you don't even want devices to use your dns or ntp, if so then pull those rules out and hand the iot clients say a public dns.. Maybe you don't even want them to be able to ping pfsense? But I see that is a very valuable test of connectivity, etc.

              1 Reply Last reply Reply Quote 0
              • 5
                5cub4f1y last edited by

                I thought I had stated this in the original post, and subsequent. I apologize if it wasn't clear. I simply want to :

                • Allow everything on LAN and OPT1 access to the internet

                • Allow LAN access to OPT1 network (allowing me access to the security system, Nest device, Alexa Echo devices, etc...)

                • Only allow OPT1 access to the printer on the LAN network

                • Printer IP is 10.10.10.4

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by johnpoz

                  And already gave you how to do that!

                  Do you really need a picture?

                  Just create a rule that allows access to your printer IP, on whatever port your using for printing, 9100, 631, etc..
                  
                  Then below that block all access to your lan net. Then the any any rule to allow internet.
                  
                  1 Reply Last reply Reply Quote 0
                  • 5
                    5cub4f1y last edited by 5cub4f1y

                    Ok. Obviously I needed to find the "complete newb" forums. However, I thank you for your time. I believe through looking at what you posted, doing a lot of research on what you posted as well as cross-referencing the NetGate Docs, I have found what I needed. This configuration seems to work, at least my OPT1 devices can now ping the printer. I THINK I understand how the rules are applied:

                    • Basically, for OPT1 for example, the rules are applied as
                    1. ALLOW any DNS traffic out of the firewall ..to cloudflare or Google DNS servers for example
                    2. ALLOW any OPT1 host to ping through the firewall
                    3. ALLOW any host on OPT1 to access the printer at the specific address on LAN subnetwork.
                    4. REJECT ANYTHING else trying to get from OPT1 subnet to any other subnet that is not OPT1
                    5. ALLOW all other traffic EXCEPT what was specified before this rule, essentially allowing internet access.
                      d4168eda-cc5f-4a89-92a5-24a45b402ea4-image.png
                    • For LAN:
                    1. ALLOW access from any network (internet or private) and any address to port 80 on any LAN subnet address.
                    2. ALLOW DNS traffic (TCP/UDP protocol only) from anything on the LAN subnet through the firewall to the DNS servers listed in General settings.
                    3. ALLOW any traffic from anything on the LAN subnet to any port 80 (HTTP) on the internet or any other address.
                    4. ALLOW any traffic from anything on the LAN subnet to any port 443 (HTTPS) on the internet or any other address.
                    5. ALLOW any LAN subnet host to ping through the firewall
                    6. REJECT any attempt at access from a host on the LAN subnet to any private IP address NOT included in any rule above
                    7. ALLOW any host on the LAN subnet to access any other address, NOT excluded in any rules above. (allowing access to anything on the internet)

                    a0eb3e3f-380d-4b5b-a272-2b3c4c3ef09d-image.png

                    Hopefully I am interpreting all of this right. If not please correct so hopefully this will help me and others understand better in the future.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by johnpoz

                      All of those rules between antilock and your rfc1918 are kind of pointless.. Other than just allowing access to pfsense lan address.. I wouldn't write them that way, I would set them to just being the lan address, since your rule below your rfc1918 rule allows all of those anyway to everything else.

                      And its kind of rare to want to block your lan from talking to your other vlans, normally lan is your most trusted and open network.. While I get block your other vlans from talking to it.. Normally lan is allowed to really go where it wants.

                      Thought you wanted your lan to able able to talk to opt? Do you just want it to be able to talk to 53,80 and 443 on opt?

                      1 Reply Last reply Reply Quote 0
                      • 5
                        5cub4f1y last edited by 5cub4f1y

                        Ok. I was following the Netgate Doc page https://docs.netgate.com/pfsense/en/latest/config/example-basic-configuration.html under Basic Firewall Configuration Example/ "Setup isolating LAN and DMZ, each with unrestricted internet access" (I am assuming DMZ is OPT1?). I do want the LAN to be able to access anything on OPT1. Which rule is blocking that? Or is it an ALLOW rule that needs to be added?

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          The rule that rejects all rfc1918 (I assume you created an alias with all the rfc1918 networks in it) would block access to your opt network, which I assume is rfc1918 ;)

                          So as the rules are currently written you would only be able to access ports 53,80 and 443 on opt network, since right under that you block all access to any rfc1918 address.

                          1 Reply Last reply Reply Quote 0
                          • 5
                            5cub4f1y last edited by

                            Ok got it. I thought maybe I was misunderstanding what the rule was for, because it did look to me like it was blocking LAN from seeing OPT1, but the Netgate docs said to add that rule....I just removed it.

                            1 Reply Last reply Reply Quote 0
                            • johnpoz
                              johnpoz LAYER 8 Global Moderator last edited by johnpoz

                              With that rule removed, then all your other rules are pointless between the anti lockout and your any any. So why have them if they don't do anything?

                              To work out what rules you need, just come up with your traffic pattern.

                              say 10.10.10.X wanting to talk to IP:port

                              Now walk down your rules - is it allowed, or blocked? In your case the last rule would allow it, and no other rule above that would block it - so its allowed.

                              5 1 Reply Last reply Reply Quote 0
                              • 5
                                5cub4f1y last edited by

                                Ok so the rules filter DOWN...as in, if the bottom rule allows EVERYTHING, then that overrides any rules above it that allow or deny anything? So If I did want to block something, then I need to have the Allow any/any as the very top rule (under the anti-lockout)?

                                1 Reply Last reply Reply Quote 0
                                • johnpoz
                                  johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                  @johnpoz said in Print from OPT1 to LAN printer:

                                  Rules are evaluated top down, as traffic enters an interface, first rule to match wins, no other rules evaluated.

                                  Yup.. as I already stated ;) and is in the docs on how rules are evaluated, etc.
                                  https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html

                                  So If I did want to block something, then I need to have the Allow any/any as the very top rule (under the anti-lockout)?

                                  Not always.. Maybe you want to log something specific, say you wanted to log when something on the lan accesses your plex server sitting on opt.. Then you could put a rule above the any any that logs that specific traffic.

                                  Or maybe you want to policy route some specific traffic out a specific gateway, which again you would put above your any any, etc. Or maybe you wanted to mark some specific traffic, or maybe you wanted to redirect something.. There are more things to do with rules then just allow or block.

                                  1 Reply Last reply Reply Quote 0
                                  • 5
                                    5cub4f1y last edited by

                                    But if I put the Allow any any above any blocking rules, then wouldn't the firewall see that I have allowed anything and not go any further?

                                    1 Reply Last reply Reply Quote 0
                                    • 5
                                      5cub4f1y last edited by

                                      This post is deleted!
                                      1 Reply Last reply Reply Quote 0
                                      • johnpoz
                                        johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                        Yes.. I never said anything about putting block rules below your any.. Block rules would need to be above a rule that allows any..

                                        1 Reply Last reply Reply Quote 0
                                        • 5
                                          5cub4f1y @johnpoz last edited by

                                          @johnpoz said in Print from OPT1 to LAN printer:

                                          In your case the last rule would allow it, and no other rule above that would block it - so its allowed.

                                          This is what confused me. I see that and think that because the any any is on the bottow, everything above it is ignored..

                                          1 Reply Last reply Reply Quote 0
                                          • johnpoz
                                            johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                            You didn't have any block rules - you only had allow rules!!

                                            Dude... This is not difficult... Come up with your traffic pattern that you want to do something with.. Now walk down your rules top to bottom.. What rule triggers? On that traffic pattern - that is what happens... Once you hit a rule that matches, stop looking at any othe rules.

                                            If you get to the bottm and and no rules match, then it would be blocked! Default Deny, if rule does not allow it.

                                            1 Reply Last reply Reply Quote 0
                                            • 5
                                              5cub4f1y last edited by

                                              Got it. So should the LAN have any blocking on it at all? Or just basically have the anti-lockout, and the allow any/any. (I am talking about my network only, where I want the LAN to be able to access anything on OPT1, and the internet..and anything on OPT1 to access the internet, but only the printer on LAN)

                                              1 Reply Last reply Reply Quote 0
                                              • johnpoz
                                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                @5cub4f1y said in Print from OPT1 to LAN printer:

                                                Got it. So should the LAN have any blocking on it at all? Or just basically have the anti-lockout, and the allow any/any

                                                Depends - do you want to block your lan from doing anything? Here are my lan rules

                                                mylanrules.png

                                                I split the IPv4 and IPv6 because sometimes I might block IPv6, etc.

                                                5 1 Reply Last reply Reply Quote 0
                                                • 5
                                                  5cub4f1y last edited by

                                                  No. Not that I can think of. Since I control all the devices on LAN (patch managment, security updates etc...) I am not as worried about vulnerabilities as I am with everything else on OPT1

                                                  1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    If you have questions if your rules will do what you want.. Just come up with the example traffic pattern of what you want to do something with, and just walk down the rules to see what will happen.

                                                    1 Reply Last reply Reply Quote 0
                                                    • 5
                                                      5cub4f1y @johnpoz last edited by

                                                      @johnpoz Ah thank you. Thats what I now have.

                                                      A 1 Reply Last reply Reply Quote 0
                                                      • A
                                                        akuma1x @5cub4f1y last edited by

                                                        @5cub4f1y said in Print from OPT1 to LAN printer:

                                                        @johnpoz Ah thank you. Thats what I now have.

                                                        Let's see, let's see!

                                                        1 Reply Last reply Reply Quote 0
                                                        • 5
                                                          5cub4f1y last edited by

                                                          LAN

                                                          Annotation 2020-08-24 170730.png

                                                          OPT1 I'm still figuring out, following the logic to see if these rules will do what I want them to do. Which is essentially NOT allowing OPT1 to access anything on LAN, except the printer. Still looks like this...

                                                          Annotation 2020-08-24 170938.png

                                                          A 1 Reply Last reply Reply Quote 0
                                                          • A
                                                            akuma1x @5cub4f1y last edited by

                                                            @5cub4f1y Yep, those rules look good. You might need a port number on rule number 3 on your OPT1 network, but probably not. Can you print something thru this rule, does it work?

                                                            Jeff

                                                            1 Reply Last reply Reply Quote 0
                                                            • 5
                                                              5cub4f1y last edited by

                                                              Yes the printer works from OPT1 hosts. I'm starting to wonder if having the printer on the LAN network makes the LAN network more vulnerable...might be easier to just put the printer on the OPT1 network since the LAN net can access anything there anyway?

                                                              A 1 Reply Last reply Reply Quote 0
                                                              • A
                                                                akuma1x @5cub4f1y last edited by akuma1x

                                                                @5cub4f1y Yeah, that's generally how to keep your "trusted" LAN network secure, don't let much of anything in like that. However, you are only allowing access to one IP address for one device, a printer, so it should be ok. Just keep the firmware on the printer up-to-date.

                                                                You're not like sitting next to North Korea or China, or Russia or anything, right? Somewhere with a whole lot of hacker/crackers? If not, and you trust most of your OPT1 hosts, you kinda can leave it the way you've got it right now - OPT1 access to the printer on LAN.

                                                                What I would make sure to do, however, is to put a REALLY good wifi password on your Orbi Mesh stuff. keep the firmware on it up-to-date. And maybe refresh/reset the password say every 2-3 months. Just to keep the bad guys out...

                                                                Jeff

                                                                1 Reply Last reply Reply Quote 0
                                                                • johnpoz
                                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                                  @5cub4f1y said in Print from OPT1 to LAN printer:

                                                                  I'm starting to wonder if having the printer on the LAN network makes the LAN network more vulnerable

                                                                  Well the security question aside.. Sometimes it easier to just put the printer where its used most and how.. I have my printer on my wlan network, because it allows for the airprint to work.. And I can print from the lan without any issues, because don't use airprint from my wired lan network.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • 5
                                                                    5cub4f1y last edited by

                                                                    Great! Thank you guys! I'm understanding how this works a little better. I am learning networking and cybersecurity so I am wanting to eventually set this up so I can have a separate network/VLAN for a home lab, but that is later. Right now I just wanted to understand pfSense enough to not knock my wife off the internet...lol

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • First post
                                                                      Last post

                                                                    Products

                                                                    • Platform Overview
                                                                    • TNSR
                                                                    • pfSense Plus
                                                                    • Appliances

                                                                    Services

                                                                    • Training
                                                                    • Professional Services

                                                                    Support

                                                                    • Subscription Plans
                                                                    • Contact Support
                                                                    • Product Lifecycle
                                                                    • Documentation

                                                                    News

                                                                    • Media Coverage
                                                                    • Press
                                                                    • Events

                                                                    Resources

                                                                    • Blog
                                                                    • FAQ
                                                                    • Find a Partner
                                                                    • Resource Library
                                                                    • Security Information

                                                                    Company

                                                                    • About Us
                                                                    • Careers
                                                                    • Partners
                                                                    • Contact Us
                                                                    • Legal
                                                                    Our Mission

                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                    Subscribe to our Newsletter

                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy