Force traffic to pass through the firewall in the LAN

adminsec

Hello,
Not being very experienced in the network, I am looking for how to perform the following action with Pfsense.

So I have a Pfsense router (Virtualized under ESX), which currently has a WAN and Physical LAN interface. (The WAN arrives from the box to one of the ESX interfaces and the LAN leaves another interface to a switch where other equipment is connected)
I try to force the passage towards the firewall in the LAN, I explain myself.
In this LAN I have several servers and client stations, and I am trying to force the packets transiting on this LAN to go through the firewall, in order first of all to block for example the machines of this LAN in 192.168.1.0/24 towards the 'ip 192.168.1.6 on port 8443.
So I created a rule in the LAN firewall, but my traceroute tells me that I do not go through the firewall in 192.168.1.1.
A solution and an explanation for my subject?

Cordially.

KOM

@adminsec Traffic on the same network travels direct from host to host so pfSense is not involved. You can only make rules between interfaces (networks). It's like having a house (network) with a doorman (firewall). People in the house do not have to go through the doorman to talk to other people in the same house.

adminsec

@kom Thank you for your answer, I understand.
It's a shame, at work I know that's what they do but use StormShields.
It would therefore be better to switch to each of the servers and configure the internal firewall.
It was just to let me put all the rules together instead of doing it like this.
Thank you for your time !

JKnott

@adminsec said in Force traffic to pass through the firewall in the LAN:

I am trying to force the packets transiting on this LAN to go through the firewall

It doesn't work that way. All traffic on a LAN goes directly between devices. A router is only involved for traffic that leaves the local network.

JKnott

@adminsec

One thing you could do is put each server on it's own subnet. You can create multiple interfaces with VLANs and a managed switch. This will allow you to use both rules and routing to protect the servers. Of course, enabling the firewall on each server is a good idea anyway. On my network here, the computer firewalls are also enabled.

adminsec

@jknott said in Force traffic to pass through the firewall in the LAN:

One thing you could do is put each server on it's own subnet. You can create multiple interfaces with VLANs and a managed switch. This will allow you to use both rules and routing to protect the servers. Of course, enabling the firewall on each server is a good idea anyway. On my network here, the computer firewalls are also enabled.

Ok thank you, but yes indeed it may be as heavy to configure as activating the firewall on each machine.
The goal was to have an overview of the firewalls without having to connect to each of the machines, and to be able to assign a "global" configuration.

johnpoz

Users and servers are normally on different vlans. If you don't want your servers to talk to each other that are on the same vlan, than you could use private vlan. If some servers do need to talk to each other you could use ACLs on the private vlan to allow for that specific traffic.

Other option is to put servers that need to talk to each other on vlan X, and servers that don't need to talk to other servers in vlan Y, while Y is a private vlan and X is not.

And users are on vlan Z, etc.

Without understanding all the services and what you want all to talk to what, its not really possible to suggest a method that allows for least amount of administration. Yes security requires administration ;) Be it that done at the switch, and the network firewall or the host firewall.

adminsec

@johnpoz OK, I understand. I was sure that at work he told me that all traffic must pass through the firewall, even on the same network segment and VLAN.
Maybe this is a stormshield specialty?
In any case, thank you for having lit my lanterns!