Disable all packet filtering interface locking

tonybutler · Sep 20, 2021, 1:07 PM

If we were to set 'disable all packet filtering' would we still be able to lock it so the web interface side was only available on a certain interface, from a certain IP given packet filtering is disabled?

Ref: "Disable Firewall

When Disable all packet filtering is set, the firewall becomes a routing-only platform. This is accomplished by disabling pf entirely, and as a consequence, NAT is disabled since it is also handled by pf.

https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html "

tonybutler · Sep 22, 2021, 12:02 PM

Hi Does anyone have any idea if we can achieve this. We want to lock the the PF web interface to one NIC interface ?

Cheers

johnpoz · Sep 22, 2021, 1:30 PM

@tonybutler The gui does not allow you to set which interface the gui listens on - it listens on all IPs.

Why would you not just turn off nat and make your rules any any if you just want to route - this would leave you with the ability to firewall for example the gui, ssh. And other things that might come up where firewall rule would make your life easier.

If your wanting to disable pf for performance issues - it would seem to me the box is undersized for what your wanting to do with it.

jacklloyd · Sep 22, 2021, 1:30 PM

Thanks @johnpoz . I work with @tonybutler and know what the challenge he’s describing is. Your solution sounds a good one, I was just hoping i could run it by you once more with a bit more context?

We've been given a wires only Internet circuit by a provider and they've provided us with normal up-link details (a /29 subnet). We asked for a /27 block for our own external services and need to run/route this as a separate interface ourselves given it’s a wires only deployment (No managed router) Aka in a PFSENSE world: “WAN” uplink is the /29 and our "LAN" is the /27 we requested - For refence, all of these addresses are public, non-RFC1918 addresses.

Just for total clarity, are you suggesting we configure the "WAN" with the /29, the "LAN" as the /27, Deploy an any-any from the LAN to the WAN (would we need one from the WAN to the LAN too?) with NAT disabled to allow full flow of traffic for normal routing to the Internet?

A big challenge we face is how do we keep the pfsense locked to our network for administration given this would be an Internet router. I'm thinking we could just create a third interface on the PFSENSE in question to be on our corporate LAN and put the usual HTTPS/443 access rule entry in to allow access to the WEB UI? Do you see any security problems with that?

The PFSENSE routing overhead won't be a problem here, it'll be going on HP Proliant Server hardware.

Thanks again for your help.

Jack.

johnpoz · Sep 22, 2021, 1:52 PM

@jacklloyd said in Disable all packet filtering interface locking:

A big challenge we face is how do we keep the pfsense locked to our network for administration given this would be an Internet router.

Not sure why - your "admin" stuff shouldn't be on this routed /27 your getting. That should be setup on its own interface.. All your normal network stuff and admin machines, etc. should be on your normal internal networks..

These networks could be downstream even from pfsense, if it is at the edge..

Running a routed public network behind pfsense as the router/firewall is really no different than running an rfc1918 network - other than you don't nat.. What other networks in play behind pfsense really have little to do with that.. Those could be rfc1918 network, they could be other routed networks, etc.

the "LAN" as the /27

I wouldn't really put the /27 on the pfsense "lan" it should be some other opt network you create. Pfsense "lan" is better suited for your internal "admin" network.. Since it defaults to having the antilock out rule on it.. Which makes it better suited for admin network if your going to run more than one lan side network. Be it those networks are rfc1918 and natted or public and not natted.

jacklloyd · Sep 22, 2021, 1:54 PM

@johnpoz That's great.

What we'll probably do then is just manage the PFSENSE with an IP Lock from our other Internet connections on the /27 LAN interface for this. This would mean this PFSENSE isn't physically connected to our network then and is just an edge router for our other firewall to uplink to.

The ISP has given us (See below) this to use if the edge device was a Cisco router, how would we create this on the PFSENSE? Do we just create VLANS with the same ID on the VLANS tab of PFsense and assign them to the appropriate network interfaces?

Interface gi0/0/0.100
Description WAN
ip address YYY.YYY.YYY.YYY 255.255.255.254
encapsulation dot1q 100

Interface Gi0/0/1
no shut

interface gi0/0/1.800
Description LAN
ip address XXX.XXX.XXX.XXX 255.255.255.224
encapsulation dot1q 800

ip route 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY (another predefined address on the WAN subnet, cleared out for security)

johnpoz · Sep 22, 2021, 1:57 PM

If your wan connection is coming in on a vlan, then yeah you would setup pfsense wan to use that vlan. But if this other /27 is on some other vlan - then its not actually routed - and is directly attached.

Or you sure you can run the "lan" side network on any vlan you want to run through your switching infrastructure.