Need to allow access to specific corporate network IP from guest network
-
Hello all, first time poster but I've read a lot here to help me setup my pfSense setup. That was several years ago. I recently updated to pfSense 2.5.1 a couple of months ago.
I'm tasked with administering this small corporate network. Let's call it corporate, single subnet, nothing major only about 60 clients on LAN, couple webservers with low traffic on them.
Our firewall has 4 NICs:
1 - WAN - Assigned to our main internet access. Has a /24 subnet with 5 external static IPs configured properly as virtual IPs
2 - WAN2 - A backup internet - which is just a cheap regular old cable connection with a cable modem, no static IP, no constant access, we pay as we go so I don't want to route guest traffic through here
3 - LAN - Self explanatory
4 - Guest LAN - separate from LAN, with its own DCHP. I created this guest network to allow some external contractors Internet access without necessarily giving them access to all our resources, mapped drives, etc. It also allows to have a wifi AP on premises that doesn't have direct access to all our resources, only Internet which is great.
Issue is we also have a few utility webservers like an internal wiki for example, that we would like unauthenticated - or non domain users - to access. This works fine if they are on our regular corporate network but not at all on our guest network.
This webserver has a virtual IP setup on our main WAN. Let's say it's 43.42.etc.
We allow external access to it only on the HTTPS port, and there's a firewall rule + NAT that allows this. It works perfectly well. Trying any other port will get blocked.
Internal DNS, provided by our AD Domain Controller, allows internal users to access this "wiki" directly through the corporate LAN, using its internal IP address. i.e. 192.168.etc
This overrides the external DNS from say google 8.8.8.8 on our corporate LAN.
External DNS resolves the IP to our assigned external virtual IP properly but of course, anything from the guest network - which is naturally routed out through our main interface - is also denied coming back through the main interface. The result was that if I try accessing this "wiki" with my cell phone, while connected on the guest network, it will fail.
I can simply add our AD Domain Controller's DNS to the list of DNS servers provided to the guest network, but then that allows anyone on this guest network to "see" our domain resources, servers, workstations, printers. It defeats the purpose of having a guest network in the first place.
Now I can't figure out a way to make it so that only the specific internal 192.168.etc address would be accessible from the guest network on 10.10.etc
I'm sure it can't be that difficult but I can't for the life of me figure it out.
Can anyone please guide me in the right direction?
Thank you,
-Luca
-
You can start with my guest WiFi rules. Take a look at the first line, which allows specific access to the interface. You could do something like that, specifying the source and destination addresses, along with the desired protocol. It's as simple as that.
-
@jknott said in Need to allow access to specific corporate network IP from guest network:
You can start with my guest WiFi rules. Take a look at the first line, which allows specific access to the interface. You could do something like that, specifying the source and destination addresses, along with the desired protocol. It's as simple as that.
Well I tried. The only way to give access that I've found so far was to just open the guest network to the LAN which I don't want to do. It worked in testing for 20 minutes but I shut it off because now anyone on our guest would have network access to our servers, printers, computers, etc.
Thanks anyways.
-
Can we see what rules you added to review?
-
Ah, actually are you using pfSense for DNS on the guest network?
@JKnott's ruleset does not allow that so if you are you would need an extra rule for that.
If you're not then there would be no DNS override for the guests accessing the wiki so you would need something else, like NAT reflection.
Steve
-
@stephenw10 We're not exactly using pFsense for DNS. I'm using a Pihole that gets DNS from OpenDNS. The DNS resolution can be resolved to either external IP or internal IP depending on whether I leave the DNS server in Pihole alone, or I add an entry for our internal IP addresses and names.
Our main corporate LAN gets DNS from our domain controller. It was like that when I got here and works correctly.
So in PiHole I have local DNS entries like this:
And they resolve properly as NSLOOKUP throws me the correct IP address from a DOS prompt on a laptop connected to guest.These are the rules in pFsense:
That first pass rule is supposed to open everything to the guest network. I know it worked a while back but as aforementioned I disabled it because we don't want anyone with our guest password to access our devices.
I tried enabling it now, but it's not working anymore, not sure why... I moved it up/down above/below the default gateway group to see if it made any difference but it didn't.
The default gateway group is so that both LAN and Guest can access Internet using the same gateway and switch over to the backup Internet service on WAN2LTE which is now an LTE access point. (used to be cable)
That part works properly, if I pull the plug on the Ethernet cable from FIBRENOIRE (our ISP) it automatically switches over after a few seconds. At that point, naturally the internal servers and VPN aren't accessible from outside but we can live with that temporarily while the primary ISP is restored. It gives us basic internet access so we can send/receive emails, basic stuff.
What's interesting is that my old pFsense had no problems doing the guest to local servers ONLY rules. When I switched it to new hardware, I backed up the config and restored on the new server with the new version of pFsense on it and everything else just worked. The four bottom PASS rules are the ones imported from the old instance and they don't work. They're enabled for testing now but I usually leave them disabled for security mostly because I don't know what they actually do - if anything.
I'm still scratching my head on this one...
-
The test rule needs to use destination LAN1net not address if it's intended to open it up completely.
The wiki and jira rules need to be above the default rule that is policy routing everything via a gateway group. That will get forced out of the WAN(s).
Steve
-
@stephenw10 Yes. That worked. I disabled the test rule after realizing the rookie mistake...
Wow. I didn't realize that placing the gateway group above the rules would route everything through the gateway group.
Thank you very much. That was awesome help.
-
No problem. It's very easy to overlook that.
-
@stephenw10 said in Need to allow access to specific corporate network IP from guest network:
@JKnott's ruleset does not allow that so if you are you would need an extra rule for that.
Yep, I point guests to Google DNS servers.
-
@colonnesel said in Need to allow access to specific corporate network IP from guest network:
I didn't realize that placing the gateway group above the rules would route everything through the gateway group.
What did you think would happen - rules are processed top down, first rule to trigger wins - no other rules are evaluated. So if rule triggers that forces traffic out a specific gateway, that is what will happen..
Here is docs on bypassing policy routing.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing -
Mmm, technically the negate rules are supposed to prevent that. But haven't done since.... 2.0.X something I think.
-
@stephenw10 said in Need to allow access to specific corporate network IP from guest network:
the negate rules are supposed to prevent that.
Is there some redmine about this? I don't recall ever reading anything in the docs where somehow pfsense would know not to route traffic out a gateway, if it had another route to that network.. as long as I can remember - but I don't recall doing any policy routing pre 2.x ;)
And if I did, I would of had a rule that allowed the traffic before forcing traffic out a gateway anyway.
-
I don't think there is because in fact I think the intention was to only negate policy routing for VPN connected networks after this:
https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/b4227df690fb7a989ead9b3928ebaaaa34b495eb/diff/etc/inc/filter.incBut the description of it is still the original function:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-disablenegaterulesI'll open a bug....
https://redmine.pfsense.org/issues/12535
-
@johnpoz Yep. Rookie mistake. When I switched over the old cable backup Internet connection to the new LTE one I created a new gateway set and naïvely placed it above the other rules thinking that the PiHole DNS would override it.
I honestly have no idea why I would've thought that to be honest because it makes no sense.
Thank you.
-
@colonnesel said in Need to allow access to specific corporate network IP from guest network:
Rookie mistake
Not sure I would say that - it does come up quite a bit around here to be honest.. Quite often users policy routing and wondering why they can not get to some other vlan, etc.
I honestly have no idea why I would've thought that to be honest because it makes no sense.
Huh - if you understand how the rules are evaluated, and how policy routing works then its quite clear that if you forced traffic out a gateway that can not get to where you want to go.. you wouldn't be able to get there..
To be honest I would be disappointed if I had a rule that said use this gateway, and this was first in my rules, and it didn't send traffic down that gateway even if there was another route.. If that is how it "should" work per what @stephenw10 has mentioned. That really should be CLEARLY stated that it will work that way.. Which in 10 some years using pfsense, do not recall it ever doing that with any sort of negate rules, etc.
That is what can happen if the gateway your forcing traffic out is DOWN, and you have setting to not use that rule if gateway goes down, etc. But if the gateway is UP, and rule is before another rule - then it should force the traffic out the gateway.