Isolate Guest and DMZ Networks
-
Hello everyone. I'm having hard time figuring out the firewall rules needed for each interface.
-
what is the reccomended way of creating the Guest Network for pure internet access without limitations, but have isolation from the primary LAN and pfsense web interface.
-
What is the reccomended way of creating a DMZ network using port forwards for some services. Again , no connection with other Lans, just internet.
The Setup:
192.168.1.0/24 default LAN, pfsense web gui - "secured". 192.168.1.1 default gateway.
192.168.3.0/24 guest network - free internet - only internet - no access to LAN
192.168.5.0/24 DMZ section - port forwarding from WAN on 192.168.5.5 , only internet. -
-
Here are my rules for my guest WiFi, which allow access only to the Internet and pinging the interface. You'll have to add appropriate rules for incoming traffic.
-
@jknott Hello and thank you for your comment. Where is the rule that blocks access to your main LAN ?
-
-
@bambos said in Isolate Guest and DMZ Networks:
@jknott Hello and thank you for your comment. Where is the rule that blocks access to your main LAN ?
The 2nd & 3rd lines cover every possible address that might appear on any of my local LANs. One blocks all private addresses and the other all addresses within my IPv6 /56 prefix. For good measure, the 4th line blocks my WAN address on both IPv4 & IPv6. This leaves only pinging the interface, as specified in the 1st line and the last line allows access to the Internet.
Also, you'll notice I use reject rather than block. This tells the device the connection is not allowed, which is faster than waiting for a block to time out. However, I use block on the WAN rules, so that port scanning will not reveal the existence of my firewall. I'm not worried if an attacker wastes time on a block, instead of a reject.
-
@derelict Does the last 2 rules ovveride the block rules above ?
how is the evaluation ?
what happent if a rule match ? is it executed and dropping the packet, or going top to bottom ? -
Rules are processed in order until a match is found. So, after blocking local LAN addresses and the WAN address, the only thing left for the last line to allow is the Internet. So, a connection to my LAN would be stopped by line 2 or 3 and never reach the last line. Likewise an attempt to connect to my WAN address would be stopped by line 4 and never reach the last line. However a ping to my guest LAN interface is matched by the 1st line and allowed. In this instance no other line is involved.
-
@derelict Thank you so much, but from guest network i'm able to see the web interface of pfsense gui.
to my understanding , i can't block this because will loose connectivity and services because is acting also as gateway.... SO ?? does this mean i have to change the default port ? What do you think ?
-
That's not quite the way it works. When you have a packet going out to the Internet, the destination is whatever address out there, not the pfsense LAN address. Rules filter on source & destination addresses. Since a packet going to the Internet will not have that LAN address as destination, it won't be blocked. However, attempting to access pfsense will be.
-
@jknott the antilockout rule is source : ANY, destination: LAN Address.
if i change this to source, LAN NET, does this going to restrict GuestLAN to see the pfsense gui on LAN ? -
@bambos said in Isolate Guest and DMZ Networks:
@derelict Thank you so much, but from guest network i'm able to see the web interface of pfsense gui.
Not if you block access to "This Firewall" as in that example you won't.
-
Blocking access to the interface will not block traffic passing through it, as the interface IP address does not appear in any packet passing through the router. Only if you use the interface address as the destination will it be blocked by a rule to block such access.
