firewall without NAT
-
Hi, is it possible to create a firewall without NAT? I would like to make something that blocks a range of ports, but all other traffic should pass unchanged. This system has no internet and no need of DHCP. Everything is on static IP's and 99% of the traffic is UDP.
Any suggestions are more than welcome. Thx in advance -
@olivier-demoustier I've never tried it but turning off outbound NAT would do it? Firewall - NAT - Outbound. Set it to Disable Outbound NAT rule generation. I don't know if that removes or disables the existing rules or not.
-
Yes, that would remove all outbound NAT rules.
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#disabling-outbound-nat
Steve
-
@stephenw10 Thanks for all the quick responses. unfortunately it does not work for me.
Attached some screenshots: NAT disabled and No firewall rules. And still no UDP traffic passing tru
I'm probably missing some more? I started with a fresh install, no VLANs
I left the IP address for LAN at 192.168.1.1 (DHCP disabled)
But what IP address should I set for WAN? Like I mentioned, in this system everything is on static addresses.
Thanks in advance. -
@olivier-demoustier You need at least one Allow rule on any interface whose clients need to go through that interface. Right now, you have it configured to block all traffic to WAN and LAN.
-
@kom
No luck :)
-
@olivier-demoustier I have no idea what you're trying to do with which clients on whatever network so I can't really comment further other than to say that you need to do some reading on pfSense and how it works. Perhaps if you explained what you have and what you are trying to do, it would be more clear. In a lot of cases, new users decide on a course of action which is either wrong or sub-optimal and then ask specific questions when they should be describing what they want to achieve and then asking for suggestions on how to best do it.
-
@kom
Hi Kom, I understand what you are saying. And indeed I'm not familiar with firewalls and NAT's.
In short the situation. Lighting desk that sends (a lot ) of UDP on port 6454 (artnet, broadcast) and some other UDP on port 9000 (OSC). I would like to split up this traffic with 2 firewall's. So I have 2 UTP cables. One with only the UDP on port 6454 and another with only the UDP on port 9000. -
@olivier-demoustier What network is on WAN, and on LAN? How are these devices (I have no idea what a lighting desk is) connected to pfSense? IS this UDP traffic coming from one client or multiple clients? Why do you want to split that UDP traffic in the first place?
I have to leave until tomorrow so post your answers and maybe someone else can help you with this.
-
@kom
A lighting desk is a console that controls lights for TV/rock shows....
It broadcasts "ARTNET" this is a UDP signal on port 6454. In large show's it reaches up to 80mb/sec. At the same time it receives other controls on port 9000 (called OSC). Sometimes the OSC gets lost by all the broadcast or/and the osc needs to be wireless via WIFI. If we don't split the ARTNET from The OSC, all the artnet slows down the wifi.
In real life it is a bit more complicated and also more different protocols involved. But if the simple setup works, I can adjust further. -
@olivier-demoustier
Does all communication devices have fix IPs or do they use UPnP to connect to the other? -
@viragomann
All fixed IP's -
@olivier-demoustier
I can imagine that you get an asymmetric routing in this setup. If that's the case, it possibly helps to enable sloppy state handling.
You can do this in the firewall rules in the advanced options. -
@viragomann
For the moment, I don't get any UDP packet true the firewall. -
pfSense will route between the WAN and LAN interfaces. Traffic coming into the LAN will be routed out to the WAN as long as firewall rules pass it and a route exists. That could be the default route or between the WAN and LAN subnets directly.
However, you're taking about broadcast traffic that will not be routed. That is always inside one subnet.
What subnets do you have on WAN and LAN?
What IPs are you testing between?
It sounds a lot like you might actually want a bridge here with both interfaces in the same subnet.
Steve
-
@olivier-demoustier if you are trying to isolate traffic by having 2 nics in the lightbox then you need to isolate those IP addresses and use direct IP address rules in your firewall but possibly going to need to use NAT redirects for that
I say this assuming you are trying to isolate one ports traffic through one NIC and the other via the second to stop overloads? -
Some people are still believing that NAT is evil. Just because some people don't like entering their home through a door instead a wide gate. By default a door denies all inbound.
-
If it is broadcast, use only a managed switch with different VLANs, then you got 2 broadcast domains and no interaction betwen this.
One VLAN is used for WiFi and the other dont flod the WiFi anymore. You want now to route betwen this VLANs, you neet different IP Subnets and then you can use an Firewall between.
-
@sundarnet-0
Hi SundarNet, The lighting console has only 1 nic. So all this broadcast ( on port 6454 and 9000) passes in/out 1 nic on that end. This meaning , only 1 IP adress. -
@stephenw10 IP range is 2.x.x.x subnet 255.0.0.0
-
@nocling
I do not think a VLAN will solve this. But I'm more than happy to learn how you would solve this with a VLAN. Can a VLAN read a packet and look if it comes from port 6454 and if so ignore this packet? -
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this. -
If I bridge WAN-LAN, all traffic passes, so the hardware is working. But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luck -
@olivier-demoustier said in firewall without NAT:
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this.If both interfaces of pfSense have to be within a single subnet you have to bridge them, as @stephenw10 already mentioned.
Doing this enables also broadcasts between the devices. Maybe this is what you need. -
Thank you, I tried this, (look at my recent post) but then it just works as a 2port switch. FIREWALL-rules are not working
-
@olivier-demoustier said in firewall without NAT:
But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luckIt should work with these settings. Maybe you have zo kill existing states before testing.
-
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help. -
@olivier-demoustier said in firewall without NAT:
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help.Happy for you. Don't forget to enable the auto start for all vlan bridges.
-
@akegec
mmm, don't know what you are saying. I don't use any VLANs. Or is a bridge some kind of VLAN? -
You need to set the filtering sysctls before you create the bridge. So if you change them afterwards you need to re-create the bridge. A reboot does that.
Steve
-
@stephenw10
Thanks Steve. Was not sure if I was doing wrong. This explains it. -
@olivier-demoustier Lastly, existing firewall states are not affected by a rule addition or change. Those states need to be cleared via Diagnostics - States in order for the new/modified rule to take effect. This trips a lot of people up when they make a rule and it doesn't seem to do anything. Rebooting the firewall does the same thing as resetting states but in a brute-force way. Glad to hear you got it working.
-
@kom
Thank you for explaining. But would be nice if the software would do this automatically when you hit 'apply". Or at least a pop up saying that you need to do that......? -
@olivier-demoustier I hear you. After applying the rule, it should be possible to go through the state table and nuke any states that match a firewall rule. An option could be added to the rule list page to reset existing states on Apply after add/edit. There is likely a technical reason I'm ignorant of as to why this isn't done. Perhaps for performance reasons like having to wait another 5-10s more (depending on your CPU) than you already have to wait every time you modify the rules. Perhaps the dynamic nature of the table and how it works makes this difficult or impossible. I don't know. But I do know that this is fairly obvious and smarter people than I have been working on this for a long time so there must be a reason.
-
@kom
Or just add a second apply button. One without and one with the extra actions needed.... -
@olivier-demoustier how do you get different paths ie wifi and LAN into the lightbox sorta indicates having wifi and LAN NICS? therefore it should have 2 IP addresses how is it specificially set up lightbox connected to ? via a switch or ? as you are trying to isolate 2 different port ranges in one path or channel eg only one NIC, sorta pointless as that traffic needs to pass through a NIC to get to the light box and different ports if you are trying to isolate traffic need to travel through separate NICs to not conflict or congest said NIC, my thought to do this would be a NAT redirect for one port to go via one NIC and the other port to be redirected to the 2nd NIC but you have not been clear with your actual config, I could be wrong but its how I would do it 2 NIC in light box 2 IP addresses with a separate NAT redirect for each needed port or port range
-
@olivier-demoustier it was late and my eyes were half closed, sorry for confusion. Steve explained what I was trying to say. @stephenw10 thanks man.
-
@sundarnet-0
1 pictures speaks a 1000 words
This is the setup (simplefied) .
The lighting consoles have only 1 NIC for all types of communication like Artnet, sACN, OSC, Telnet, UDP remoting, TCp remoting..........
-
Just ran into another problem here. Maybe someone can help me out?
So I made a bridge and have only 1 firewall rule that passes all traffic.
Part of the traffic is "sACN" It is a multicast UDP E1.31based signal (more info here https://artisticlicence.com/WebSiteMaster/Publicity/HelpDesk18-sACN-in-large-systems-Part1-Nov2018.pdf)
After a few minutes (without any reason or changes) this part stops working. As far as I can see, all other protocols keep passing the firewall.
someone any idea why? -
You might need to check 'allow IP Options' on the pass rule there:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html?highlight=multicast#ip-optionsSteve
