block traffic between interfaces [Solved]

mass · Oct 12, 2020, 3:46 PM

Hi,

I have configured pfsense firewall with one WAN, one LAN, and one OPT1 interfaces and what i noticed is there is no restrictions between the internal inetrfaces both networks are communicating. and i want to block communication between these two internal interfaces.

kiokoman · Oct 12, 2020, 8:41 AM

one way to do this:
Create an alias for the RFC1918 network ranges. Call it private_networks and include the following ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

create a firewall rule on top of everything on the LAN and on the OPT1 tab with block and destination "Single host or alias" > private_network

mass · Oct 12, 2020, 8:57 AM

Created rule as per your sugestions but still no luck

mass · Oct 12, 2020, 9:09 AM

Seems its working but lost internet connectivty for both networks

kiokoman · Oct 12, 2020, 9:41 AM

do you have a public ip on your wan or is it behind another modem/router with 192.168.x.x network?

mass · Oct 12, 2020, 9:43 AM

Its connected through router there is no Public IP.

Now its working after changing the rule order for both the networks.
but not able ping own gateway ips as well.

kiokoman · Oct 12, 2020, 9:44 AM

modify the alias to be more specific, put inside only the network you have for the LAN and for the OPT1 interface

mass · Oct 12, 2020, 9:47 AM

this is the rule which i have created as per your advice.

mass · Oct 12, 2020, 9:49 AM

Alias Internal_default_Addr

mass · Oct 12, 2020, 9:52 AM

But not able to ping own gateway IP.
Ex: if my lan network is 192.168.1.1/24 i am not able to ping 192.168.1.1 from the same notwork.

kiokoman · Oct 12, 2020, 9:56 AM

what addresses do you have in the wan, lan and opt1 interfaces?
another way to do that is to make a block rule with destination "OPT1 net" on the LAN tab and one block rule with destination "LAN net" on the OPT1 tab

mass · Oct 12, 2020, 9:56 AM

WAN Configured as DHCP, WAN IP is 192.168.0.8/24.
LAN Network : 192.168.1.1/24
OPT1 : 192.168.100.1/24

kiokoman · Oct 12, 2020, 9:58 AM

maybe it's easier for you: another way to do that is to make a block rule with destination "OPT1 net" on the LAN tab and one block rule with destination "LAN net" on the OPT1 tab

mass · Oct 12, 2020, 10:09 AM

Ok Will check.

What if i want to block all ports between these two networks and allow a specific port for a specific service?

Ex : Assume my ftp server is in LAN network and i want to allow only that ftp server with ftp port for OPT1 network . and all other ports should be blocked.

mass · Oct 12, 2020, 10:19 AM

This post is deleted!

noplan · Oct 12, 2020, 10:27 AM

@mass said in block traffic between interfaces:

y ftp server is in LAN network and i want to allow only that ftp server with ftp port

for starters set an allow rule for the IP or the alias + port of your ftp server
in front of your block rule ...

rules are runnin top to bottom

brNP

mass · Oct 12, 2020, 10:36 AM

@noplan said in block traffic between interfaces:

for starters set an allow rule for the IP or the alias + port of your ftp server
in front of your block rule ...
rules are runnin top to bottom
brNP

Ok

mass · Oct 12, 2020, 10:38 AM

@kiokoman said in block traffic between interfaces:

maybe it's easier for you: another way to do that is to make a block rule with destination "OPT1 net" on the LAN tab and one block rule with destination "LAN net" on the OPT1 tab

Yes Its working ,
Thanks a lot

noplan · Oct 12, 2020, 10:42 AM

@mass

ftp workin to ?
brNP

mass · Oct 12, 2020, 2:25 PM

@noplan said in block traffic between interfaces:

ftp workin to ?
brNP

Yes Its Working
Thanks.....