Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow established/related traffic only? Coming from UniFi...

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cabledude
      last edited by Cabledude

      Hello all,
      I'm configuring an SG-1100 box, to replace my Ubiquiti UniFi USG 3P. I now have the same VLANs set up in pfSense and they work on my UniFi switches. Now comes translating the firewall rules for those VLANs.
      In UniFi, I have a basic "Allow all established/related traffic" rule so devices in adjacent VLANs can "talk back" but not start new connections:
      fc61f8a2-f6e5-4057-a148-09b8b582889b-image.png

      Let's assume I have VLAN 10 secure devices and VLAN 70 IoT. I want 10 to talk to 70 and establish a connection, but I don't want 70 to start new connections to 10.
      My ruling concept is the following, rule order top to bottom:

      • allow established/related <any source> to <any destination>
      • allow <all states> from VLAN10 to VLAN70
      • block <all states> from VLAN70 to VLAN10
        I can't seem to find an option to do this in pfSense. Should I go about doing this in a different way to accomplish the same?

      Thanks!
      Pete

      PS I should have mentioned that the UniFi way of firewallling is to route all traffic to/from a VLAN by default, no restrictions. At the start, the rules list is empty and all traffic is allowed. If the aim is to block traffic, one must add a block rule (there are default WAN rules of course).
      I already found out that pfSense works in the opposite way: no rules means all traffic is blocked.

      Pete
      Home: SG-2100 + UniFi + Synology. SG-1100 retired
      Parents: SG-1100 + UniFi + Synology
      Testing: SG-1100 w/ 120GB SSD via ext USB (eMMC dead). Works great

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        If you have vlan X and vlan Y

        And you let vlan X talk to vlan Y, via rules on X interface - there are no rules need to be added on Y for it to be able to talk back.. The state you create from X to Y when you allowed the traffic would allow Y to talk back.

        The vlan Y interface could have zero rules on it.. And you would still be able to talk back to X because of the state that was created. But Y would not be able to start a conversation with something in X, unless rules that allowed that were placed on interface Y.

        UniFi way of firewallling is to route all traffic to/from a VLAN by default

        With Pfsense, default is deny on all new vlans. The only network that gets default any any rule is the first (LAN).. Whenever you create a new vlan/network - it defaults to no rules (other than say hidden rules to allow dhcp when you enable dhcpd on that network).

        If you want a new vlan to be able to start a conversation to anything - you would have to create the allow rules. But conversations started to it from another vlan would be allowed to return.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • C
          Cabledude
          last edited by

          That is a brilliant explanation, thanks a lot. I've tested and it works! Kudos 👍

          Pete
          Home: SG-2100 + UniFi + Synology. SG-1100 retired
          Parents: SG-1100 + UniFi + Synology
          Testing: SG-1100 w/ 120GB SSD via ext USB (eMMC dead). Works great

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Yeah I ran a usgp3 for my main router for a short amount of time.. I needed something quick and cheap after I updated my isp speed to 500.. My sg4860 was on back order.. So at 100 bucks - sure works..

            While overall at that price point its not a bad little box.. But wow was firewalling a PITA compared to how easy it is with pfsense... Couldn't get it off my network fast enough once the netgate appliance got here..

            My son is currently using the usg on his network.. It reports into my controller, and his flexHD ap.. So I can keep an eye on it.. But his network is just 1 flat network.. His TVs and him and his GF laptops and phones.. So not a lot of firewalling to have to be done on the usg.. And since it only he has 100mbps isp - the dpi even works out fine, etc.

            Once you go pfsense, you won't be going back to unifi firewalls any time soon ;) To be honest it blows away most anything else I have worked on, juniper, checkpoint, cisco, palo, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              MisterE @johnpoz
              last edited by

              Can someone explain why ubiquity chose to not automatically create "talk back" rules like pfsense? They combine all "corporate" networks (and later call it "lan". confusing!) to one "interface". all "lan" subnets are wide open. I can understand these choices to make it easier for users.

              But not integrating "talking back" rules is a failure imho. Is this deliberate? Just lazy? Is this a BSD vs Linux thing?

              johnpozJ keyserK 2 Replies Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @MisterE
                last edited by

                @mistere You prob have better luck asking that question over on their forums.

                While there are many a unifi AP user here, and even some of their switches.. To their actual router/firewall devices - I doubt you will find many users here, since pretty much everyone here is because they use pfsense as their firewall router ;)

                Why they do some of the stuff they do is questionable - WTF were they thinking putting just a 1gig interface on their wifi 6 (ax) access points? I'm at a complete loss there..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • keyserK
                  keyser Rebel Alliance @MisterE
                  last edited by

                  @mistere Just guessing here, but it might be that the little USG is not capable of going full statefull on firewalling internally between VLANs. The Talk back rule looks suspiciously like something you would do in a Switch ACL to allow return TCP traffic when there is no state. but I don’t know.

                  Love the no fuss of using the official appliances :-)

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    MisterE @keyser
                    last edited by

                    Well, i think here are more experts with actual low level firewall knowledge. Or experience with the design decision other brands made.

                    Probably there are some use cases for real one-way traffic (UDP?) in enterprise settings but i do not see the use cases for ubiquity customers. Not sure if we can actually mimic the same behaviour in pfsense if we want to.

                    It should really easy to automatically create the "talk back" rule. So, you would think this is deliberate. So, i am afraid i am missing something obvious. But it is probably just a stupid design :P

                    1 Reply Last reply Reply Quote 0
                    • C
                      Cabledude
                      last edited by

                      I was a USG user when I started learning VLANs and firewall rules. So to me it was the only way I knew at the time. For all I knew all systems would work the same. Boy was I surprised when I started using pfSense.
                      As pointed out above, pfSense is building states with every pass rule, which are basically invisible in the UI. There is no need to create talk back rules in the other VLAN. We (as pfSense users) are aware that by default, VLANs cannot start connections unless pass rules are created for that VLAN. As UniFi works completely reverse (all inter-VLAN traffic allowed by default) users need to create a block all traffic rule in each VLAN. This is just guessing on my part, but requiring to add state rules above the block rule may give starting users more insight in the logic of top down firewall rules. Actually I can't think of any use case where one would like to allow established/related traffic without also having the counter part rules on the VLAN that is initiating that traffic.
                      Pete

                      Pete
                      Home: SG-2100 + UniFi + Synology. SG-1100 retired
                      Parents: SG-1100 + UniFi + Synology
                      Testing: SG-1100 w/ 120GB SSD via ext USB (eMMC dead). Works great

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.