How configure VLAN WAN/UI access rules?
-
I'm trying to setup a network with 2 ISPs, one backup mobile link and several VLANs using pfSense as the main router.
I'd like to:
- Allow users to choose which WAN they use by picking a Wi-Fi SSID (I'm assuming this is best done with VLANs)
- Allow users to access shared network resources (e.g. printers on one VLAN, servers on other VLANs) regardless of which SSID/WAN gateway being used (I'm again assuming this is best done with VLANs)
- Allow internet access from some VLANs (e.g. a VPN server on one VLAN), but not others (e.g. VLANs with printers or IoT devices that might have unwanted phone-home remote-access abilities)
For initial learning & testing I've added a NIC to an old machine to get 5 gigabit ports and installed pfSense. I plan to wire this as follows:
WAN LAN ---------------- ---- WANDSL (PPPoE) -- igb0 WANCABLE (DHCP) -- igb1 WANBACKUP (DHCP) -- igb2 igb3 -- VLAN 150,200-202 -- Switch re0 -- 192.168.100.0/24 -- PC (management LAN)
To start with I've just plugged in the WANDSL PPPoE link, exposed VLAN 150 on some downstream switch ports and confirmed hosts get DHCP assigned IP addresses from pfSense.
While hosts on VLAN 150 (192.168.150.0/24) can talk to each other (I assume just courtesy of the switch), there are a couple of things I can't figure out:
- Why can't hosts in VLAN 150 (192.168.150.0/24) access the internet? I've tried adding various firewall rules with WANDSL set as the gateway. I interpreted the documentation as saying I shouldn't set an IPv4 Upstream gateway for LAN (and so I assume VLAN) networks, so do I need to add a static route for this to work instead? if so what would this look like?
- Why can hosts in VLAN 150 (192.168.150.0/24) access the pfSense UI on 192.168.100.254? e.g.:
$ hostname -I 192.168.150.100 $ curl --insecure --silent --no-buffer https://192.168.100.254|head -7 <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="/vendor/bootstrap/css/bootstrap.min.css" type="text/css"> <link rel="stylesheet" href="/css/login.css?v=1622201721" type="text/css"> <title>pfSense - Login</title> $
I've tried several firewall rule variations to fix these 2 things but guess I'm missing something obvious.
If someone could please try to set me straight as to where I'm going wrong that would be much appreciated.
Here's my current config (I did wonder why the WANDSL interface is assigned my public IP address while the WANDSL gateway and Monitor IP have a different IP address; but after some reading suspect this is normal, i.e. outgoing WAN packets don't go via my public IP address):
-
@irk-0 said in How configure VLAN WAN/UI access rules?:
Why can't hosts in VLAN 150 (192.168.150.0/24) access the internet?
What you're doing here is called "policy routing" and means, that you allow anything passing out to the WANDSL gateway.
This might work though, when you configure your computer to use a public DNS server. But if you didn't any change in pfSense DHCP settings, it would provide its interface IP as DNS for the clients, but your rule doesn't allow it.If you want to policy route the traffic to ensure it is going out to a specific WAN gateway, then you have to add a rule above of this to allow internal access like DNS.
Why can hosts in VLAN 150 (192.168.150.0/24) access the pfSense UI on 192.168.100.254?
I cannot see any reason for this. It shouldn't be able with the only one policy routing rule.
Possibly it was an already opened connection before adding this rule. Consider you may have to delete states or wait till the connections time out.Also the rule you've added to WANDSL is useless.
Rules have to be added to the interface, where the traffic is coming into pfSense. -
Yeah I would not expect to be able to access 192.168.100.254 from VLAN 150 with those rules unless the WANDSL gateway was down. In that situation it will pass the traffic without the gateway set unless you have set 'Skip rules when gateway is down' in Sys > Adv > Misc.
You should not rely on policy routing rules to segregate internal subnets. Use reject rules to do that.
Steve
-
Thanks @viragomann, I've removed the useless WANDSL rule.
Thanks @stephenw10, I'll bear the reject rules point in mind (and revist the docs).
Having briefly "had" things working (pfSense's DNS has just stopped working, but that's a separate topic), here's my understanding of what was happening and what was needed to get things working:
I think the following rule is why VLAN 150 clients on 192.168.150.0/24 could access the pfSense GUI on 192.168.100.254 (i.e. TESTPOC Destination=* allows TESTPOC to go anywhere, including the MANAGEMENT LAN 192.168.100.254/24):
Well, that rule plus the fact the GUI is served on all LAN and even WAN interfaces.
For VLAN 150 internet access to work I had to make these changes to
Firewall->NAT->Outbound
(outbound NAT being mentioned in Troubleshooting Network Connectivity):I guess without this, VLAN 150 packets went out to the internet but could never get back.
I now have the following rules which seem to work:
For those new to pfSense, the greyed-out first row above is a disabled rule.
Curiously, the TESTPOC "Allow traffic to internet" rule doesn't seem to need the WANDSL gateway set, even though I've set
System->Routing->Gateways->Default gateway
toNone
for IPv4 and IPv6 (I'm wondering if I may need to add WANDSL gateway back when I get round to bringing the other 2 WAN links online though).This is probably a topic for another post, but I'm now having issues with pfSense's DNS Resolver, which I had working, but now isn't.
I had to add this entry to
Services->DNS Resolver->Access Lists
before VLAN 150 DNS client requests worked though (thanks @bingo600 for this post):Before adding the above the following was reported in the logs (after increasing
Services->DNS Resolver->Advanced Settings->Log Level
):I've got DNS working again from the pfSense diagnostic GUI (after adding 8.8.8.8 as DNS in
System->General Setup
), but VLAN clients still get "status: SERVFAIL" running e.g.dig @192.168.150.254 github.com
(dig @8.8.8.8 github.com
works fine).I may persevere a little to see if I can work out what the DNS Resolver issue is, but as I plan to run a separate DNS server anyway won't spend too long on that.
-
Hmm, a few interesting things there.
You should not have had to add an outbound NAT rule for that, the automatic rules should contain all the internal subnets the firewall knows about, locally attached or routed.
Unbound should have ACLs to allow access from all internal subnets.
Both those suggest pfSense either doesn't see 192.168.150.0/24 or it doesn't see it as an internal subnet. The latter seems more likely and could only be caused by having a gateway set on the interface itself which would cause it to be seen as a WAN.
With the original policy routing firewall rule in place I would not expect to have been able to reach 192.168.100.254 because, although destination 'any' includes it, the presence of the gateway should force the traffic out of the WAN.
Your new rule to allow traffic to !This_Firewall will prevent hosts on vlan 150 reaching the webgui on any IP but it will allow traffic to reach any other host in any other connected subnet. Which is probably not what you want.
Steve
-
Thanks @stephenw10, that's really helpful .
I added another VPN (151 / 192.168.151.0/24) to port
igb3
and can see that this was added to the automatic outbound NAT rules:Perhaps I was tinkering with the gateway options for VLAN 150 before and that somehow flagged it as a WAN interface.
I couldn't see anywhere in pfSense that told me it thinks VLAN 150 was a WAN link though (as far as I could tell it didn't have a gateway assigned). After deleting VLAN 150 and re-adding it, it too was included in the outbound NAT rules, which are now just:
The fact I've lost 2 rows in automatic rules for VLAN 150 backs up your "pfSense likely thinks VLAN 150 is a WAN" observation (and makes me realise I should have included the automatic rules in my earlier post... sorry about that).
Once I get all the WAN and VLAN connectivity working I'll endeavour to adopt a better/default-deny strategy to address the
!This_Firewall
issue you pointed out.I have a feeling my tempermental DNS may be related to this issue so I'm giving up on using pfSense's version of unbound for now and will endeavour to set up a seperate DNS server instead.
-
Yup, that fact it was adding outbound rules for TestPoc as a WAN confirms that. It must have had a gateway assigned at least at some point. I've no idea how it would still be using that if it wasn't shown on the interface config though.
I use Unbound everywhere and have never seen that issue. I guess it's possible.
If it was seeing TestPoc as a WAN though Unbound would be blocking queries from it by default.Steve
-
Things make a bit more sense after some restarts "seemed" to break things even more.
The DNS Resolver seems to be working again now I've added a default IPv4 gateway back in
System->Routing->Gateways
.I'd set both the IPv4 and IPv6 default gateways to
None
thinking it would be best to explicity define the gateway to use in this multi-wan setup. This mean't I had to specify the WANDSL gateway for VLAN 150, i.e. I had to use this rule (instead of the old disabled rule that I think worked courtesy of having a default gateway set):But having no default route also meant the GUI's
Diagnostics->Ping
utility couldn't even ping 1.1.1.1 or 8.8.8.8; so there was no wayDiagnostics->DNS Lookup
was going to work either (orunbound
).Which leaves me wondering if it's possible to get
unbound
to work without having a default gateway set. That may be a question for another post... -
You can set the outbound interface(s) for Unbound to use as source IP. In that case it should hit the 'route-to' for that interface and be sent to the gateway on it.
Steve
-
You can set the outbound interface(s) for Unbound to use as source IP
Thanks @stephenw10, I did try that but couldn't get it to work when no default gateway is set.
I set default gateways to None and the following DNS Resolver options:
Then rebooted pfSense and client
dig
requests just getstatus: SERVFAIL
responses.In this state pfSense's IPv4 routing table is:
Once the default IPv4 gateway is set to Automatic, client
dig
requests start working again; the routing table in this case being:I've since found this post which claims:
"The outgoing interfaces option in Unbound is just an interface by interface on/off switch whether to use the interface at all for outgoing traffic, it doesn't allow any redirection of DNS queries, they will still follow the system routing table"
It seems unbound is only able to work when a default gateway is set. Which currently seems odd to me; I guess I have some more reading to do to understand how this could work in my (concurrent, rather than failover) multi WAN setup.
-
Yes, the outbound interface only sets the source IP that is used. But if that is a WAN the outbound firewall rule will look something like:
pass out route-to ( em0 172.21.16.1 ) from 172.21.16.22 to !172.21.16.0/24 ridentifier 1000002761 keep state allow-opts label "let out anything from firewall host itself"
So traffic using it should routed via the gateway.
However PPPoE can be a special case here because the gateway in use is often not in the WAN subnet. It doesn't have to be in a point-to-point connection. It's still in your routing table on the link though....
Steve
-
OK, thanks @stephenw10, I see one can view those rules with
pfctl
so will look for similar entries on my box.Should anyone else attempting to lock a VLAN to a single WAN interface wind up reading this, it turns out setting the default gateways to none wasn't the only way to do this (setting no gateways having the downside of stopping pfSense services such as DNS from working).
It turns out there's a "Skip Rules When Gateway is Down" option that I had to set under
System->Advanced->Miscellaneous
:Until I set the above option the gateway I explicity set for the VLAN was being removed if it was down, meaning pfSense's default gateway was used instead (which being a gateway group with all WAN interfaces, meant traffic found a path out).
That seems an odd default thing to do to me; I'd expected the default to be no connectivity. If one wants failover to another gateway it may be clearer to explicitly say so by assigning a gateway group that includes the specific failover interface(s) required.
-
Yes, when I referenced that initially I suspected that might be the case. It's one reason why you should not rely on policy routing to block traffic. Use block or deny rules above it to prevent access via any gateway. But setting that will remove the rule entirely as you found.
It defaults to that because in most cases policy routing is used for failover or load-balancing and it's preferable to have connections succeed.You can also see the ruleset pf loads in /tmp/rules.debug.
Steve
-
Eek. You did indeed mention the skip rules thing before! Sorry. I guess the significance of that statement didn't register with me at the time. Doh .
At one point in my journey I did try using reject rules to block the other gateways, but it seemed to me that the "default gateway" was treated as a special case and couldn't be blocked. It's entirely possible that I had things half-baked at the time though. Perhaps I will find time to revisit that approach at some point.
Is setting "skip rules when gateway is down" considered a bad practice, or something that should be avoided?
If there's a good reason to not use it I can revert to the default setting, but I'd prefer to take the approach of "block everything" and "only allow what one wants" that the "skip rules..." option seems to give.
For example, to allow VLAN 151 to access VLAN 150, but not VLAN 150 to access VLAN 151, with both having internet and DNS access, it appears I can just do the following (without having to explicitly block anything, which might be a pain should more VLANs be added later):
-
Yes, that should work. However generally considered best practice would be something like this:
If the 'pass-all' rule were to change to something without a gateway it would not then allow local traffic.
Steve
-
Thanks @stephenw10, the rule screenshot's really helpful.
I was able to get that rule set working (as long as the "skip rules..." option was selected).