Block subnet without firewall

ihatenetgear

My searches have resulted in instructions to use the Firewall, but I think there is a better approach, like routes.

Should LAN (192.168.10.x/24) be able to ping/find OPT1 (192.168.20.x/24) and vice versa on a new install of 2.5.2-release?

• Yes: What is the best practice to stop each subnet from communicating?
• No: What could be causing my simple configuration to allow it?

The Firewall approach seems to work, but I see stuff in the logs that looks like something is still getting through, like:

X 192.168.20.3:35264 -> 192.168.10.33:631

I know that 631 is Internet Printing Protocol (IPP), but why is one subnet aware of the other to even try contacting?

My rules:

LAN:
Block IPv4+6 (Proto Any) LAN net -> OPT1 net (All ports)

OPT1:
Block IPv4+6 (Proto Any) OPT1 net -> LAN net (All ports)

Thanks!

johnpoz

@ihatenetgear said in Block subnet without firewall:

X 192.168.20.3:35264 -> 192.168.10.33:631

And what is the order of your rules on these interfaces.. Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.. Order of rules matter!

Is that block or allow in your firewall rules?

As to how - its a printer, if it had the printer setup with that IP, it would know about it - even if you changed its local IP on the device to be in another network. It would still know about the IP of the printer it used before, etc.

ihatenetgear

@johnpoz said in Block subnet without firewall:

And what is the order of your rules on these interfaces..

They are at the top. For LAN, the Anti-lockout rule is first, followed by the blocking rule LAN -> OPT1.

For OPT1, the first rule is to block the local GW port 80 so OPT1 can't manage pfSense, then followed by blocking rule OPT1 -> LAN.

Is that block or allow in your firewall rules?

The rules provided are blocking rules.

As to how - its a printer, if it had the printer setup with that IP, it would know about it - even if you changed its local IP on the device to be in another network. It would still know about the IP of the printer it used before, etc.

That's a good point, considering this is a new setup. The tricky thing is, the actual device that I gave in the example is an Amazon Echo trying to talk to a printer? Good grief... Not sure if the 192.168.10.33 address was the printer, as the address is no longer in use, but I'll keep an eye out.

So ultimately, per my original question, I think that you are implicitly telling me that the only way to stop LAN <-> OPT1 traffic is to use the Firewall?

johnpoz

@ihatenetgear said in Block subnet without firewall:

way to stop LAN <-> OPT1 traffic is to use the Firewall?

Well yeah.. How would you not route between interfaces pfsense is directly attached to.. If it didn't know about its own interfaces or have a route to know what network is on an interface.. How would anything from that network talk to it, or route the traffic you want to allow.

If you don't want device X on network A to talk to other networks - don't give it a gateway on that device. Now there is no way it can talk to anything other than its own local network.

As to an alexa device sending stuff to a printer? Hmm I have multiple alexa devices - have never thought to connect them to a printer ;)

ihatenetgear

@johnpoz said in Block subnet without firewall:

As to an alexa device sending stuff to a printer? Hmm I have multiple alexa devices - have never thought to connect them to a printer ;)

Me either, but potentially Amazon has interesting ideas to help with their market place...

https://www.reviewgeek.com/53296/alexa-invaded-my-printer-and-im-not-happy-about-it/

johnpoz

@ihatenetgear hmmm - interesting.. Thanks for sharing.

Glad my alexa's on their own subnet. Along with the iot devices they they should work with - like lightbulbs, etc.

And my printer is on a different vlan, and there is no way for alexa to even discover it - because I don't break L2 boundaries with anything like avahi, etc. ;)

If you want to printer - you either need to put in the IP and be on a vlan I allow to talk to the printer. Or you need to be on the same network as the printer to discover it via airprint - etc. Which my alexas sure and the hell are not on ;)

While I love them to control my lights, and talk to the grandkids via video on my show.. I hate some of the nonsense they put on the screen.. And STFU with the by the way, if I wanted to know how to do something - I would freaking ask you.. Do what I tell you and that is IT!! My wife thinks its funny when I yell at it to STFU!! when it offers up some nonsense I didn't freaking ask for ;)

I might be ok with some of the stuff it offers up on its own - if I was brand new to the thing.. But sure wish they would allow people turn off all the nonsense - make it 3 layers deep if you want.. But there should be a freaking way!

ihatenetgear

LOL - STFU, I haven't tried that approach! Thanks for the laugh.

johnpoz

@ihatenetgear even though it doesn't work for much - it makes me feel better ;) And someone or some AI is going through commands sent - and if they hear enough STFU from people maybe they will get the idea people don't like whatever that was ;)