Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unexpected behaviour with multinet

    Firewalling
    3
    5
    135
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cabarnacus last edited by

      Let me preface this with... I'm not working on anything mission critical and I am purely using a home lab for learning/general interest networking etc, I am in no way an IT professional just a hobbyist. I don't expect or demand any support, I'm just curious as to why I have this outcome.

      It seems that traffic from a secondary subnet in a multinet environment is able to cross the firewall to WAN without any explicit rule allowing it to.

      I have an OpenVPN Access Server appliance running on my hypervisor and originally had it set up in the default NAT mode for traversing the OpenVPN client subnet to my private subnet. I was curious about setting up routing mode instead of NAT. I know many do not recommend multinet setups but my thinking is... technically it should work, it's just bad practice, lets see what happens.

      Private subnet 192.168.1.0/24 (LAN interface on pfSense)
      OpenVPN AS clients subnet 172.27.224.0/20
      OpenVPN AS address on Private Subnet 192.168.1.253

      I followed the guidance on changing from NAT to Routing here:

      https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/

      Now for the pfSense bit:

      I set up a Gateway on the LAN interface pointing to 192.168.1.253 and a static route to 172.27.224.0/20 using said gateway. Since my outbound NAT is set to hybrid mode, an automatic NAT rule was created letting the 172.27.224.0/20 subnet leave WAN. 👍

      At this point I have not set up any rule to allow the 172.27.224.0/20 subnet entering the LAN interface to go anywhere, but I was able to access the internet from it??? This I was not expecting. 👎

      I thought this might have something to do with the automatic rule on outbound NAT but as I understand it, outbound NAT is only controlling how traffic leaves an interface and not whether or not it should get there in the first place.

      I have also carefully considered all my LAN firewall rules (top down approach) and I can't see any one that would match the traffic and let it through. The bottom "allow all" rules are set to match traffic from source "LAN net" which I assume looks for the LAN subnet 192.168.1.0/24 traffic.
      I cannot access any other interfaces without changing this last rule to source "any", which is what I would expect to see.

      I just don't understand how the 172.27.224.0/20 subnet is managing to get to WAN without a pass rule allowing it.

      Can anyone point me in the right direction?

      LAN rules.JPG

      kiokoman johnpoz 2 Replies Last reply Reply Quote 0
      • kiokoman
        kiokoman LAYER 8 @cabarnacus last edited by kiokoman

        @cabarnacus

        pfSense utilizes default deny on the WAN / OPT1 /OPT2 etc etc and default allow on the LAN
        the default is that everything out to the Internet from the LAN is permitted
        https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        C 1 Reply Last reply Reply Quote 1
        • johnpoz
          johnpoz LAYER 8 Global Moderator @cabarnacus last edited by johnpoz

          @cabarnacus said in Unexpected behaviour with multinet:

          I set up a Gateway on the LAN interface pointing to 192.168.1.253 and a static route to 172.27.224.0/20 using said gateway.

          Huh?? You have a downstream router? Doing nat?

          Your going to have to layout your network if you want help... Have no idea what your doing.. And sure not going to spend time reading some shit guide on how to do X.. When for all we know you did Y and not what was in the guide at all.

          Posting of your rules on lan is a good start.. But we have no idea what are in your aliases you have listed.. And seems you have downstream networks? So your lan is a transit? Can lead to asymmetrical problems, unless this downstream is natting? etc. etc..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

          C 1 Reply Last reply Reply Quote 0
          • C
            cabarnacus @kiokoman last edited by

            @kiokoman Perfect, that's the simple explanation I was looking for and explains the behaviour. Thanks.

            1 Reply Last reply Reply Quote 0
            • C
              cabarnacus @johnpoz last edited by

              @johnpoz A warm and friendly reply as usual 😁. It's been answered to my satisfaction now but I appreciate the reply, I won't bore you with the details of my network layout. Thanks anyway.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post