Blocking local devices on dual WAN setup

soulvoid86 · Aug 17, 2021, 6:03 PM

Looking for some assistance in getting my firewall rules to work the way I need them to.

To keep it short, I have a dual WAN setup. PFSense is running in HyperV with a dedicated NIC for WAN 1 (gigabit ISP) and a USB tethered cellular hotspot for failover WAN. I have them setup in a gateway group and it functions perfectly. Primary WAN goes down, it flips to cellular and as soon as packet loss drops below my set threshold, it flips back to the primary WAN.

However, I want to block certain devices from having access to the failover WAN entirely. Specifically devices that have high data usage (because cellular access is obviously metered/throttled).

When I apply port rules to the firewall, it works exactly as I expect. Service on said port is blocked only on the failover WAN. However, I have a few devices that use random ports on some services, so I’d like to block that devices network traffic to failover WAN entirely. But when I do so in Firewall>Rules, PFSense basically just ignores that rule and passes the traffic anyway. Screenshot below.

The top rule I would expect to block all traffic to said IP address, however, that rule is completely "ignored". The rule containing the port block works as expected though.

Any assistance is apricated. I’m no network expert, but I have a few years of basic network experience in small businesses, and have a fairly complex home lab setup with enterprise grade equipment (used HPE equipment from my employer) and am trying to learn the proper methods. I've also tried using the netgate guides but I'm just not understanding what I need to do. I've been following every guide I can find for a few weeks and nothing is working.

viragomann · Aug 17, 2021, 8:48 PM

@soulvoid86 said in Blocking local devices on dual WAN setup:

However, I want to block certain devices from having access to the failover WAN entirely. Specifically devices that have high data usage (because cellular access is obviously metered/throttled).

So you have incoming connections and you have forwarded them by port forwarding rules on both WANs?
If so you could simply remove the NAT rules from the failover WAN.

soulvoid86 · Aug 17, 2021, 8:54 PM

@viragomann No, port forwarding is only applied to primary WAN. The screenshot I provided is all of the current rules for the failover WAN. 3 rules for blocking but only the rule that works is the one with port 32400 specified. The 2 top rules for IPs *.5 and *.11 do not work.

I also have devices that do not have any services running on them at all, nor do they have ports forwarded in the firewall at all. I cannot block those devices either, but I want the ability to do so.

Here is a screenshot of my forwarding rules.

viragomann · Aug 17, 2021, 9:00 PM

@soulvoid86 said in Blocking local devices on dual WAN setup:

No, port forwarding is only applied to primary WAN. The screenshot I provided is all of the current rules for the failover WAN.

But since you don't forward anything from the failover WAN there cannot be any incoming traffic that the mentioned rules match.
You might only have upstream traffic from the internal devices, but this cannot be blocked by rules on the WAN interface. You have to add the rules to the LAN.

soulvoid86 · Aug 17, 2021, 9:05 PM

@viragomann That makes sense, so let me clarify what I want to do exactly. Maybe I'm going about this wrong.

I have a number of different PCs around the house. Home Theater, laptops, desktops, multiple servers, etc., not to mention mobile devices.

I want to block any of those given devices from having any external network access, video streaming, even just basic web browsing, over the failover WAN. If it's not a critical device, I don't want it to have any external network access while on this WAN. I figured if I block these devices by IP on the failover WAN interface, they would simply not route at all.

viragomann · Aug 17, 2021, 10:51 PM

@soulvoid86
Since these devices are connected to the LAN interface you have to block them on the LAN.
There might be multiple ways to achieve that. This is one:

Add the device IPs you want to go out on default WAN only to an alias.
Add a firewall pass rule on LAN to the top of the rule set with this alias as source for internal connections like DNS access to pfSense. Maybe you have to add multiple rules if you have different internal services you want to access.

Add a pass rule next below with the alias as source, at destination check invert and select "This firewall". Open the advanced options, go to gateway and select the WAN gw.
(This presumes that you don't need any other device to access than pfSense itself, since you have on one internal network segment.)

Add a block rule with the alias as source and any as destination.

Go to System > Advanced > Miscellaneous and set a check at Skip rules when gateway is down ( Do not create rules when gateway is down).

soulvoid86 · Aug 24, 2021, 9:20 AM

@viragomann
Unfortunately, I just tried the steps you provide, but the IP I added to the alias simply loses all WAN access. Both primary and failover.

viragomann · Aug 24, 2021, 9:20 AM

@soulvoid86
Presumably your devices are not able to access the DNS server anymore, cause you did not what I suggested.
I advised to add a rule to the top of the LAN rule set for allowing access to internal services like DNS. This rule must have set the gateway option to "any".
Since I don't know, which services you need, I cannot be more accurate. Supposed you're using the DNS resolve on pfSense, you need to pass TCP/UDP to the destination "This firewall", port 53.

The next rule has the WAN gateway set, so it directs any passed traffic to that gateway. Hence it cannot be used for access to internal destinations.