Netgate 2100 and any any rules questions
-
Thanks for the information!!
-
Updated Rules With Negated Subnets with Logs on blocks
Aliases for Xboxs 192.168.20.1/24 network
Lan subnet 192.168.1.1/24
Mail Aliases with DNS use
Mail Aliases with DNS use updates automagically
-
@jonathanlee huh?
If your xbox group has IPs that part of the lan.. A lan device talking to them wouldn't talk to pfsense to talk to the xbox IP.. So those rules are meaningless in preventing lan net from talking to a group of IPs on the lan.
If xbox is a different vlan, then these rules make no sense on the lan
Because those IPs would never be source of traffic into the lan interface..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
Mmm, indeed the xbox group is not separated from the LAN subnet.
-
@johnpoz Yes they are on a different network same subnet 255.255.255.0. However 192.168.20.0/24 for the game systems the LAN side is on 192.168.1.0/24 for desktops. They do work and it shows traffic for both rules. They can not talk with the lan devices also as it is a different network. The DHCP only issues Ip addresses in 192.168.1.1/24 network with a pool of 192.168.1.1-192.168.1.4 so all the devices are auto assigned in 192.168.1.1 network. The XBOX systems are static and set as 192.168.20.10 within 192.168.20.0 network 192.168.20.1/24 and 192.168.1.1 are different networks cider of /24 will not pass traffic from 192.168.1.1 to 192.168.20.1 so I can make custom rules. This block of IP address is works it has access and is assigned to the game systems. Different networks 192.168.1.1 and 192.168.20.1 same subnet 255.255.255.0 the 3rd octet is all ones on both networks.
-
They can get out 443 but "not talk to each other." Yes both can access port 443. My goal was "no tunnels with that port" from one to another so negated reverse rules.
You can see traffic when they run but nothing when they are off.
-
@jonathanlee your running multiple layer 3 on the same layer 2..
You do you dude - I don't help people bork up stuff.. That is just borked.
Where in NIST does it say you should do that ;) Your not actually isolating anything..
Its like telling your kids to stop talking to each other in the same room ;) If they want to talk to each other they can.. Only thing stopping them is you told them not too..
-
Thanks I fixed it I forgot the source side of things I made a new group with just Lan hosts and inverted the match.
-
I see subnetting like creating cubicles. As long as you have them your good, however yes if I just had LAN everything that is bad. Thanks for pointing that out. No Any Any rules.
